How to create a positive and effective cybersecurity environment instead of a shame culture

2 years ago 284

You tin drawback much flies with chromatic than vinegar. Learn immoderate tips to found a affirmative reinforcement cybersecurity civilization alternatively than a blame-and-shame game.

Fingers pointing astatine a man, blaming him

I erstwhile worked successful an situation wherever adding users to Active Directory privileged groups was forbidden but via an authoritative petition approved by the individuals' managers. This was cautiously monitored, and connected 1 juncture an email went retired to a monolithic radical of radical stating the argumentation had been violated and idiosyncratic who was named straight successful the email had updated a radical without permission.

SEE: Security incidental effect policy (TechRepublic Premium)

Several managers admonished the sender for calling retired the alleged perpetrator, and 1 produced the precise petition that authorized the change, exonerating the idiosyncratic and causing embarrassment for the accuser, who did apologize. However, that full email thread should person been a face-to-face, backstage treatment with the worker and their manager.

This occurrence shows the incorrect mode to spell astir cybersecurity. Another is tests, similar sending company-originated phishing emails to interior recipients to spot if they tin beryllium tricked into clicking links which past instrumentality them to a leafage scolding them for falling for the content. That simply builds a partition betwixt the extremity users and the IT/security departments making users little apt to respect these groups. Positive reinforcement is the cardinal to encouraging employees to privation to comply for their ain bully and that of the company, alternatively than fearfulness of retribution oregon embarrassment. Even elemental designation from absorption for reporting phishing emails oregon completing grooming tin suffice to physique a affirmative situation promoting cybersecurity principles crossed the organization.

Experts successful cybersecurity agree. Sai Venkataraman, CEO astatine SecurityAdvisor, a information consciousness grooming and automation company, said: "Cybersecurity civilization is astir intolerable to quantify owed to an lack of measurement tools. Many businesses effort to quantify the quality constituent of their information posture by sending employees simulated attacks to show however susceptible workers are to phishing, social engineering, spoofing and other types of hacks. The flawed logic information leaders usage to warrant these tactics is that simulations assistance place high-risk users and unafraid fund for further budget. However, the negatives whitethorn outweigh the benefits arsenic simulations embarrass workers and presumption information teams arsenic antagonists alternatively than allies."

SEE: How to negociate passwords: Best practices and information tips (free PDF) (TechRepublic)

Venkataraman said embarrassing radical is pointless. "Embarrassment seldom accomplishes thing positive, and from a information perspective, has been thoroughly discredited. Phishing simulations and different 'Gotcha!' information grooming attacks are an illustration of shame culture. Experience has taught us that attacking our employees doesn't summation cyber-resilience arsenic overmuch arsenic it positions the interior IT teams negatively successful the eyes of the organization's employees, making it more challenging to get radical connected committee with strategical initiatives. If anything, these boring grooming sessions marque employees little apt to presumption the IT squad arsenic a unit for bully wrong the enterprise. The champion information leaders instrumentality tactics and technologies that make a frictionless acquisition for employees."

Rather than trying to shame and then coach employees, IT and information leaders should make a frictionless information strategy intended to enactment workers during their top clip of need, Venkataraman said. "'Cookie-cutter' approaches to information grooming don't enactment implicit a agelong play of time. This attack often does not people at-risk users erstwhile a imaginable onslaught is successful advancement oregon is executed with capable frequence to stay apical of caput for employees."

SEE: Working astatine a harmless distance, safely: Remote enactment astatine concern sites brings other cyber risk (TechRepublic)

Johanna Baum, laminitis and CEO of Strategic Security Solutions, a supplier of accusation information consulting services, agreed. "Shame is ever a atrocious mode to motivate an idiosyncratic oregon the masses. It doesn't enactment for your kids (we've each tried), and it doesn't construe good to immoderate different population. It mightiness trigger immoderate short-term responses, but fosters semipermanent resentment and a pent-up stockpile of sick will."

She offered a antithetic way. "The attack should beryllium to summation wide learning and the idiosyncratic menace quality of each user. It's hard, it requires important patience, but is mode much effectual than mounting a trap and full-scale mockery of the transgressor. No 1 wants to people their interior cybersecurity trial results."

The wide information quality of the mean idiosyncratic and executives is reasonably debased truthful it's uncommon to spot anyone airing their soiled laundry, she said. "Openly discussing information initiatives, assisting your squad successful internalizing the planetary interaction and promoting wide-scale information evangelism arsenic an organizational imperative, alternatively than an IT mandate, goes a precise agelong mode to securing the organization—certainly overmuch further than the fired worker who was the poster kid for the failed shame crippled phishing test."

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays