Employees Jeopardizing Security Policies. Help!
Being a security operations officer, you might find yourself in a situation when you spent days and nights working to protect your company's assets, you established security controls and mitigated all possible risks but your fellow co-workers simply jeopardize your guidelines. Why? And what is more important, what can you about it?
For sure, the vast majority of employees do not violate the rules on purpose. If you know they do, it's time to take some actions. They are rather just being reckless or lazy. Your colleagues from other departments care about getting their work done and do not pay attention to others. Do not take their behavior personally, this is what we all are guilty of at some point.
How to make people care about security guidelines and procedures you proposed? It is up to you if you want to punish employees for every small mistake and become an office villain or turn your co-workers into your allies and help them on their journey to security. In Cygna Labs, we believe the second path is much better. So where do you start?
Ask yourself a question, when you first came up with security guidelines did you share them with your co-workers? Do they really know these guidelines exist? Were they instructed to actually follow the guidelines? In most cases, the employees are generally happy there is someone around taking care of security and preventing data loss but they do not have a feeling that they should participate in these activities. For most employees, your guidelines are not for a real work process but for a formal compliance certification that comes and goes. Do not blame them! It's time to turn the whole situation upside down.
First of all, make sure to provide clear descriptions of your security controls. Explain why each control matters and what are your universal goals. Conduct training, create step-by-step instructions, or even post security checklists on your corporate SharePoint site—take every chance to spread the awareness. Take a step forward and discuss the common threats in your industry and how to identify them. Once your fellow colleagues have a coherent picture, some security measures will no longer look annoying or excessive to them. Naturally, they'll have more questions so assure them they can come to you when in doubt.
So you've got them on board! Now, as you and your co-workers value the same things, encourage them to be proactive. Gamification can work out great in this case, reward your colleagues for being cautious and make them proud. Congrats to those who change their passwords after the first reminder! But be sure not to fall into espionage game when co-workers would spy after each other. That's not what you want, right?
You did a great job explaining security basics and motivating your fellows. Are they still violating the rules? Oh... take a look at your guidelines then.
Evaluate your policies—do they allow employees to effectively do their work? Could you over-engineer the security guidelines while you were trying to remediate all risks? If your colleagues experience security-related distractions all the time, it's a sign that your control framework is not that good. You might have assessed all risks possible but you didn't find the right balance between security and operations efficiency. So take a closer look at users' daily tasks and resources they utilize, and try to make their lives a little bit easier by introducing some security automation or revisiting the guidelines.
A journey to security can be a tough one and you might be forced to review your guidelines and controls over and over again. Do notfeel distracted and just keep going, and eventually you'll find the right way to persuade your co-workers into joining the security path. As newer and newer threats appear on security radar, remember to remain on friendly terms with your co-workers. After all, that's the company and people you take care about as a security operations officer.
See a recent post on what you can do once the first auditing is over and guidelines are ready—First Auditing Is Over. What Is Next?