Are you clear about your trusted sources for security advice?
So you’ve managed to instil sufficient interest in security across the business that people actually recognise situations where they may need to exercise caution and ask for help. Congratulations, that’s a really great step, but all that hard work can be rapidly undone if queries are met with inconsistent or misleading information. How would the following examples be handled?
How do I set up encrypted email?
Can I access this website if the certificate has expired?
Can I charge my mobile at work if I set it to ‘charge only’
In some cases your IT setup may limit these choices, but however that’s done there will always be situations where users need guidance, which can come from a vast range of sources; Face to face, system messages, online help, forums, policy & training guides, security vendor guidance etc.
If we get information overload or conflicting advice it can result in various potentially damaging responses; delay in completing an action, follow the path of least resistance, find an alternative (less secure) way to get something done etc.
Trust is also a major factor. If your security team provides a response that is contradicted by a slick YouTube clip with 2M hits, it’s natural human nature for people to query this. In an ever-changing landscape it’s vital to establish and maintain the trusted pathways that you need your people to use.
So think about the sources that are available to your people and consider how easy you are making it for them to find clear, timely and accessible guidance about common security queries.
Here are a few tips on situations to recognise and avoid.
If security reps verbally contradict documented guidance - “Oh, that’s out of date, so you don’t need to do that anymore” - that sets the expectation that all other documents are potentially out of date and can be ignored.
If you deliver security training to your staff, make sure the materials are REALLY, REALLY easy to locate and access at a later date. Chances are people won’t remember most of it but may want to refer back to it.
Don’t rely on advice from “your neighbour/friend who works in IT”. They may be knowledgeable about wider IT but won’t know the context of your organisation and what the risk profile is.
“I don’t know” is a perfectly acceptable response to a security query. It’s pretty much impossible for any individual to know about all aspects of Cyber Security, but we frequently come across IT/Security folk who try to give an answer to everything. Know your limits and embrace opportunities to develop if you’re not sure about something.
This blog highlights a single situation where security can be affected by the behaviour of people throughout your business. Glacis has developed the Secure Behaviour framework to help diagnose and resolve the factors that influence human security behaviour. This reduces cyber security risk and improves digital productivity. If you’d like to know more then please get in touch.