You've worked in IT for some time, perhaps a few years or even a few decades. You're finally figuring out what it takes to keep the joint running and, presumably, what it takes to keep things secure.
But there's one thing I'm guessing you haven't mastered: human behavior.
You see, the mindset of the typical employee is so complex that businesses spend enormous amounts of time and money trying to predict and control employee actions. We're still behind the curve with information security because of this.
If we're going to implement IT-related policies, properly enforce those policies and minimize our information risks, we need to have a better understanding of how people work and make decisions. This understanding can help lead to a better employee security awareness program.
Consider this: A recent Symantec study found that the majority of employees (56%) possess what they called an "occupy" mindset, believing that it's okay use a competitor's trade secrets. Sixty-eight percent said their company doesn't take the proper steps to protect sensitive information, and 40% plan to use this company information in new roles once they move on.
And a 2012 CyberArk survey of IT managers and executives found that 43% of respondents said they would walk out with proprietary data -- such as privileged password lists, customer databases and R&D plans -- if they were fired tomorrow.
There's clearly a problem with this throughout the enterprise. If insider exploitation can happen to the NSA, it can happen to your organization. I'm not smart enough to outline fixes for all of the types of behaviors that impact information security, but I have learned enough over the years to know that there are three factors that apply:
- You can never assume that people know the right things to do with security. Even if there was high security awareness, you can never assume employees will always do what's right.
- Your employees know that no one in IT has a clear picture of what information is where on the network, much less who has access to that information.
- Your employees' desire to violate policies outweighs their perception of the risks involved. They know there's limited oversight and accountability. The stakes of getting caught are high, but they also know the odds are in their favor.
Employee security awareness and training must be an ongoing process, but you absolutely cannot rely on it to prevent mishaps. Unfortunately for security's sake, any semblance of controlling employee behavior usually stops here.
The desire for instant gratification is a powerful force. Many people have trouble thinking about the long-term consequences of the choices they're making today.
These things are not unique to IT and security; they're present across the board in all aspects of society and business. But the reality is that if you overlook any of these issues, you're going to continue to struggle with security.
You don't have to become an expert in human psychology to help your enterprise's security, but you do need a hefty dose of emotional intelligence. Make this a top priority. If you focus on the people side of security as much as you do on the technical side, it can boost your overall IT and security skillset -- it may even help you craft an effective employee security awareness program.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic LLC. With more than 25 years of experience in the industry, he specializes in performing independent security assessments revolving around information risk management and is the author or co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.