If they can find a way to do it, many users will circumvent cybersecurity rules they find inconvenient or time-consuming. It’s something cybersecurity professionals come across all the time – sometimes after damage already has been done.
But cybersecurity professionals themselves aren’t immune to the temptation to break the rules, as Dr. Alexandra Samuel, a cybersecurity expert, wrote in a recent Wall Street Journal article. And the reason is the same as for everybody else: Cybersecurity practices can be cumbersome.
It’s not entirely the fault of users, she says. For one thing, password managers aren’t as user-friendly or effective as they should be. And in some cases users get punished for following safe practices. For instance, some sites block content to users who refuse to accept cookies. And when it comes to over-sharing on social media, platforms don’t necessarily make it easy to set privacy controls.
Knowing what they know, why do cybersecurity professionals sometimes break the very rules they are meant to enforce? Samuel attributes this to a simple answer: We’re all human. That’s understandable, but it’s problematic.
User awareness is key to any successful cybersecurity program. Technology is essential to fortifying an organization’s defenses, but cannot save users from themselves. A user who clicks a link on a phishing email doesn’t need more technology; he or she needs better training.
That’s why training and communication are essential components of a cybersecurity strategy. By now, it’s well understood that every organization should have a security awareness program but what is perhaps less understood is how to communicate the information that conditions employees to follow security practices.
A training and awareness program should clearly state its goal – how security hygiene protects them and the organization. Users need to understand security isn’t just the responsibility of the cybersecurity team; everyone shares in it.
It takes one bad decision by a single user to unleash a virus on a company’s network. All it takes is something as simple as opening an infected attachment, plugging in a USB drive with a virus or walking away from a computer without locking it. These are actions most users have unthinkingly walked into at one point or another.
But circumventing security protocols actually requires thinking about what you’re doing. If a user is reusing passwords for different systems, the user most likely is making a conscious decision. The same goes for someone who shares a password or lets an authorized person use a restricted system.
Good security requires constantly reinforcing good habits. It’s all about communication and education. Training should be ongoing and involve all users. Reminders of good security practices should be shared regularly. And companies should acknowledge when an employee does something right, such as reporting a suspected phish to the cybersecurity team.
Of course, reinforcing good habits has to start with the cybersecurity team. A team that allows its members to circumvent protocols for convenience isn’t likely to be very effective in communicating the need for hygiene across the organization. To prevent that, protocols should be clear and as easy as possible to follow. And when choosing tools, cybersecurity teams should select them not just for effectiveness, but also for usability whenever possible.