Jason Whyte, MD Trustwave A/NZ explains how technology leaders can ensure the work practices of their colleagues do not put their company’s cybersecurity at risk.
If you want to ensure work practices deliver on cybersecurity, you need to ensure you don’t build an environment of fear around it.
While the consequences of a breach can be severe, you should encourage transparency and openness in your colleagues. After all, they are often the front-line in understanding what risks your company is actually facing in its real-world, day-to-day operations.
To quote Frank Herbert’s Dune: ‘Fear is the mind killer’. It is better for cybersecurity to be boring than terrifying. Fear is also the communication killer and open internal communications regarding your team’s business practices is critical to determining where any potential issues lie and then appropriately dealing with them.
The core principle should be ‘make the secure way the easy way.’ When the pandemic hit and people started using unauthorized cloud services it wasn’t because they were being mischievous or wilfully trying to put the company at risk, they were trying to do their job the best they could – and those cloud services were the fast-track to doing that. If the easy way was a secure cloud service that worked for them, there would never have been a problem in the first place.
Prohibitions of certain behavior without thinking about the consequences will almost always go wrong. If you need someone to get a large file from Point A to Point B, but there is no authorized file sharing service and you have also banned USB drives, you’re eventually going to have a bad day.
As technology leaders, here are three key points worth following:
(a) Understand the work practices of our colleagues, in very practical and realistic terms
(b) Have an amnesty to get people to ‘fess up to non-compliant stuff they do without fear of getting in trouble
(c) Put in place enabling technologies with proper security that address (a) and (b)
For example, if you give someone a popup that says: ‘Would you like to be secure today, yes/no’, everyone will click ‘yes’… unless the implication of clicking ‘yes’ is that half their applications don’t work… in which case they’ll click ‘no’. Think like them and security and best business practices will follow.
And keep learning at the forefront. A work environment that remains open to learning about possible risk will invariably reduce that risk when it finds it. The best source of information on non-compliance and on risky business practices, is simply asking employees and supporting their awareness, not punishing it.
You want your colleagues to push the envelope when it comes to getting important work done. We all know shortcuts will sometimes happen. We just need to make it OK for them to tell us.