What Your Employees Should Know About Security: Part 1
by Scott Lewis
Security awareness: It is a huge topic these days. We hear a lot about it, and we even hear the questions such as, Why does this continue to happen? Or, Why can’t we stop viruses, ransomware and hacking attempts? These and many other questions continue to baffle the technology professionals and corporations around the world, and I am going to try to tackle these issues.
According to the IBM Cyber Security Intelligence Index, more than 95% of cybersecurity incidents involve human error. One of the most overlooked areas in corporations’ security protocols and practices is ongoing and active security awareness training for employees. I am also going to discuss how these programs work and what should be included in them to make them effective, interesting and fun.
Technology can go only so far in protecting your company. As technologists, we could make security so tight that it hamper and ultimately hurt the productivity of your employees and lower moral. Even worse, it could give so much control and influence in the management of your company to IT that you would wonder who was actually running your business.
As a technologist who has spent my entire professional career educating business owners on how to manage their businesses better through the use of technology, I have also realized that as technology experts, we have a supporting and empowering role within the organization. We need to design systems that promote business growth and empower employees to achieve more. However, now we have to do it in a manner that protects the company we support at a level that has never been seen before and shows no signs that security awareness is not going to be a hot topic.
It is estimated that 59% of security breaches were done by insiders who had access to sensitive data and exposed it by accident, not through malicious activity. When you think about what fuels human error—or, as I call it, the human factor—that exposes sensitive data, you have to consider the following factors:
1) Fatigue. A common and accepted definition of fatigue as it relates to human error is based on a decline in mental or physical performance that is related to lack of sleep, disruption of the internal body clock, high workload, disruption in the workplace, prolonged physical exertion or a combination of any of these factors.
2) Audible and visual noise. A Cornell University study on human-computer interaction showed that in simple tasks such as pairing a Bluetooth device, people failed more often on the first try in a noisy environment than in a quiet environment. In addition, human noises such as talking or a baby crying increased the failure rate more than natural noises. It would be a reasonable assumption that human mistakes are going to happen at a higher rate in an environment that has a lot of human interaction and distraction.
3) Consistency in the workplace. Don Norman, the author of “The Design of Everyday Things,” puts human mistakes into two categories: “slips” and “mistakes.” Slips happen when humans are on autopilot and make assumptions such as typing an email message and not verifying the addressee to ensure they are sending it to the right Karen, which could result in confidential information being emailed to the wrong person. A mistake happens when a human has created a mental model that is not correct, so their mind incorrectly interprets what it sees. An example might be that we all know our email address. However, if someone spoofs your email address and makes minor changes such as adding an S to the end of your company name, would you notice that or would your mind incorrectly interpret that email address and think it was someone you knew? These types of activities create opportunities for hacking, the spread of viruses, identity theft and fraud.
4) Training. This is one of the biggest shortcomings when it comes to using technology to address human behavior. Technology is reliant on predictable conditions, and humans are anything but predictable when it comes to technology. If at first it doesn’t work, we will try and try again. In most cases technology does not take into account human error prevention in the design of systems. It might prevent you from doing something, but that is only one small part of training and end-user awareness that needs to be addressed.
When it comes to security mistakes that lead to lost data, misplaced data, data being sent to the wrong person or unauthorized system access, typically it is not a matter of if but when something is going to happen that puts your company at risk. In order to understand how to put together a prevention model, we have to understand the most common mistakes that people make so that countermeasures can be put in place to correct them. Companies have to understand that security is a tug-of-war between protection and convenience and at times convenience is going to win because when the system is blocking certain user activities that it concludes are putting you at risk, people get frustrated and demand relaxing security protocols to make it more convenient.
Scott Lewis is the president and CEO of Winning Technologies Group of Companies, an international technology management company. Scott has more than 30 years of experience in the technology industry and is a nationally recognized speaker on technology subjects such as collocation, security, CIO-level management, data and voice communications, and best practices related to the management of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.