Winning the Hearts and Minds of Employees on Security

Winning over the hearts and minds of employees is pivotal in the battle for information security.  They can be the greatest threat or the most powerful asset in the fight to keep a company's business secure.   A recent report from Webroot, showed promising attitude changes of employees for security.  Ninety-five percent of those surveyed agree that compliance with company security policies is important.  This is hugely significant.  When employees believe security is important, it promotes a community of common sense and fosters peer reinforcement of securing corporate assets.

Only one-quarter of people admitted they had attempted to bypass company security policies while at work.  While at first glance, one in every four people actively trying to get around policy might seem high.  But not too many years ago, these numbers were inverted.  Most people held beliefs that security policies were overly burdensome, ineffective, and not important.  Subsequently, most workers occasionally side-stepped policy while striving to meet corporate objectives.

So what happened?  What were the catalysts which changed the situation to a more security friendly environment?  Three things occurred in the industry which drove the behavioral changes.  The relevance of security increased, better communication and training, and maybe most importantly, IT/Information Security departments became more sensitive to users work needs.

Information security has become more relevant to all employees, both at work and at home.  Attacks targeting personal information, finances, privacy, and social reputation have become commonplace.  The threat of identity theft, email break-ins, social media harassment, location tracking, and even the harvesting of pictures from phones and personal online storage sites is causing concerns to grow.  People are worried at home and it translates to a healthy paranoia when they come to work.   Overall, this is good for corporate security.

Over the past few years, companies have spent more time and effort in communicating and training employees on the security risks, problems, and controls.   Security professionals have grasped the fact the vulnerabilities are not just technical.  Behavioral aspects contribute and must be addressed at the user level.  Beyond the new-hire or annual security training and notices, many organizations have spent time and effort in raising the awareness of security with their flock.  A very good investment against a broad swath of attacks.

Arguably the most important behavioral change has been on the IT and Information Security side.  In the past, some organizations applied iron-fisted security programs and policies which were just as impactful as the problems they were designed to protect against. These organizations have largely matured in how they present risks, design controls, and respond to problems.  They have strived to understand the business and how employees work in order to reduce the overall impact of security.  They find a healthy balance between risk and controls and do so in a manner which purposefully minimizes impacts to employees.  The survey found sixty-one percent of employees reported that their employer's security policies never or rarely made it more difficult for them to do their jobs.  This kind of partnership fosters teamwork instead of contempt.    

These are valuable lessons to every security organization.  Employee support is crucial to every good security plan.  Communicate, partner, and keep security relevant in order to win the hearts and minds of employees.

Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.