Tip

Keep secrets safe with an employee security awareness program

You've worked in IT for some time, perhaps a few years or even a few decades. You're finally figuring out what it takes to keep the joint running and, presumably, what it takes to keep things secure.

But there's one thing I'm guessing you haven't mastered: human behavior.

You see, the mindset of the typical employee is so complex that businesses spend enormous amounts of time and money trying to predict and control employee actions. We're still behind the curve with information security because of this.

If we're going to implement IT-related policies, properly

    Requires Free Membership to View

enforce those policies and minimize our information risks, we need to have a better understanding of how people work and make decisions. This understanding can help lead to a better employee security awareness program.

Consider this: A recent Symantec study found that the majority of employees (56%) possess what they called an "occupy" mindset, believing that it's okay use a competitor's trade secrets. Sixty-eight percent said their company doesn't take the proper steps to protect sensitive information, and 40% plan to use this company information in new roles once they move on.

And a 2012 CyberArk survey of IT managers and executives found that 43% of respondents said they would walk out with proprietary data -- such as privileged password lists, customer databases and R&D plans -- if they were fired tomorrow.

There's clearly a problem with this throughout the enterprise. If insider exploitation can happen to the NSA, it can happen to your organization. I'm not smart enough to outline fixes for all of the types of behaviors that impact information security, but I have learned enough over the years to know that there are three factors that apply:

  1. You can never assume that people know the right things to do with security. Even if there was high security awareness, you can never assume employees will always do what's right.
  2. Your employees know that no one in IT has a clear picture of what information is where on the network, much less who has access to that information.
  3. Your employees' desire to violate policies outweighs their perception of the risks involved. They know there's limited oversight and accountability. The stakes of getting caught are high, but they also know the odds are in their favor.

Employee security awareness and training must be an ongoing process, but you absolutely cannot rely on it to prevent mishaps. Unfortunately for security's sake, any semblance of controlling employee behavior usually stops here.

The desire for instant gratification is a powerful force. Many people have trouble thinking about the long-term consequences of the choices they're making today.

These things are not unique to IT and security; they're present across the board in all aspects of society and business. But the reality is that if you overlook any of these issues, you're going to continue to struggle with security.

You don't have to become an expert in human psychology to help your enterprise's security, but you do need a hefty dose of emotional intelligence. Make this a top priority. If you focus on the people side of security as much as you do on the technical side, it can boost your overall IT and security skillset -- it may even help you craft an effective employee security awareness program.

About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic LLC. With more than 25 years of experience in the industry, he specializes in performing independent security assessments revolving around information risk management and is the author or co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.

This was first published in January 2014

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.