Part of the challenge with information security is that it requires staff beyond the information technology group to generally do the right thing. We set things up securely to the best of our ability, but there will always be situations where a user has to know how to act — whether that is declining to click on a link, setting a unique password, or checking that a request for information is legitimate.
To change culture internally, IT should provide good security tools and education about these tools. Training should go beyond simply explaining how to use a tool or technology; it should also convey why we want something to happen (or not). And if we want our colleagues to pay attention, the training also must be engaging.
For example, last year at the American Public Power Association, we revised our password training. To offer context, we described how long it would take adversaries to break different passwords, and therefore what strengths of passwords we required. We were able to share the good news that the National Institute of Standards and Technology recommendations on passwords had changed. It was worthwhile to review the new standards, and staff were particularly happy to hear about the reduced need for periodic password changes. To make the training engaging, we have a password generation methodology that can be fun to use — it involves rolling dice.
In with the new does not mean out with old practices and problems. It is not simply about instituting a new process, but also about doing such things as updating old shared accounts that have insecure passwords or thinking through the risks of systems that are hard to fully secure or which induce insecure behaviors. Security is more like preventive healthcare, where we continuously do many small things to cumulatively reduce risk rather than expecting one or two big surgeries to fix all problems. Of course, there are some changes that can make a big difference — enabling two-factor authentication, for example, is probably the security equivalent of giving up smoking.
While a constant drumbeat of security updates to staff will probably lead to them tuning you out, it’s appropriate to engage them on particularly serious ones. There are plenty of examples we can give to show why security best practices are important — not only to our work, but also to their personal lives. Many of the things we want people to do at work overlap with the things they should be doing at home, which can help the message stick.
By pointing out that the Equifax breach was caused by a failure to keep systems updated, we can drive home the message of why updates are important, even if they are time-consuming or inconvenient. Or we can tell them that if Mark Zuckerberg had used a system to manage his passwords (back in 2012 – they were around then!), the breach of his LinkedIn credentials wouldn’t have also compromised his Pinterest and Twitter accounts. Or we can share that Google credits its properly configured two-factor authentication system for its having zero account breaches for its staff in the last year.
An important part of transforming information security practices is to recognize that people are fallible and make mistakes. Regular training and retraining help reduce the incidence of mistakes. Over the next year, we are working to formally repeat and refresh our staff’s security training. Repetition is key, as is updating for relevance. The security landscape changes, so training cannot be one-and-done.
We rely on our colleagues to self-report mistakes, so it’s important that training (and correction) be approached in as humane a way as possible. If people know they will be yelled at for messing up, they’re far less likely to come to confess. In the end, making our workplaces secure is about much more than implementing the right tools. It’s about supporting and nudging our colleagues toward adopting a security mindset.