Security education: ineffective or the wrong approach?
Employees don’t give two hoots about security or security policies. They share passwords with colleagues; they share work devices with others without supervision; they transfer files from their laptop to home computer; they use their corporate email address to subscribe to non-work related newsletters / sites; and if their boss says they can’t do something, nine out of ten will try.
And if recent reports are anything to go by, more and more employees will ignore a company’s security policies if that either means getting work done faster or if they need some form of insurance in case they receive that dreaded, recession-driven ‘thank-you-but-you-are-fired’ letter.
If employees are going ignore the IT department and by-pass security policies anyway, what’s the use of spending unproductive time trying to educate people and writing policies that won’t be read by anyone let alone adhered to?
Waste of time, money and resources? Or are we missing the point altogether?
There are two schools of thought.
The first school believes that employee awareness is a waste of time. There is no point in security awareness, critics argue, if no one is going to listen. They argue further that tech savvy employees – and they are increasing in number – will always find a way around any obstacle the admin IT puts in their path. The best course of action, they conclude, is to simply plug as many security holes using group policies and software/hardware to protect the network.
The second school, however, believes that security education has been a failure because the approach has been flawed from the outset. For years there has been a serious disconnect between IT, Management and employees. Same company, same goals but each one talking a totally different language. And here, I think, lies the problem.
Employees (and non-IT managers) cannot be given a ‘do not’ list and be expected to follow each item to the letter. People – and this is an important word – are not machines that accept instructions without question. People would like to understand (even if they disagree) what they are being asked to do… and it makes a huge difference in terms of both the relationships with managers and IT personnel and how employees go about their job.
When properly administered, security awareness in an organization can make a difference. You cannot expect EVERYONE to heed your wise words but an explanation using everyday language will hit home. If five out of every 10 employees start paying greater attention to what attachments they are opening or what links in emails they click on, the IT helpdesk, for example, stands to benefit from fewer ‘there are pop-ups all over my screen – what am I going to do?’ calls.
Some employees will totally ignore anything their IT manager says – they either don’t care or they are too tech savvy to be ‘educated’; but there are others who will appreciate being told why they need to use a complex password and not their mother’s maiden name or their surname.
The key is to relate security to something they can associate with; an issue that could affect them personally. Weak passwords are easily hacked… if employees use weak passwords for all their accounts / memberships their data / identity is at risk – personal data too. People are apt to change attitudes when the problem is closer to home than they realized.
Education alone will not shore up a network’s defenses. Security policies, software or hardware security measures are a must (woe betide those who think otherwise – and they are many). Raising awareness about security among employees and non-IT staff is not something to be ignored.
With proper planning, some incentives and senior management’s backing, security education will have a positive impact over time.