IT security should be a bowling alley with kid’s lanes
October 2, 2019

Privacy fatigue. It sounds like an existential crisis in a middle-aged relationship. But it’s not.

The phenomenon of “Privacy Fatigue” is the feeling many get from the endless cookie approvals, security warnings and “Are you sure you want to install this program?”. A fatigue that eventually has a greater impact on people’s computer behaviour than the warnings themselves, and than the admonitory words of the IT Manager’s latest security review.

Your colleagues are just doing their job

Before you put your head in your hands because another employee is jumping on the phishing hook, remind yourself that the employees rarely do it with malicious intent.

Your colleagues outside the IT department (yes, and also within the department) are concerned about their own work and doing it as efficiently and as well as possible.

It’s no wonder that the employees  download unauthenticated third-party programs that improve their workflow, nor is it strange that they do not always read the security warnings, but simply press “Accept”.

In other words, it’s not because of ill will that your colleagues forget the security presentation you held in the canteen two months ago, but because they are busy solving the tasks for which they are employed.

Security Nudging – the user-friendly approach to security

With the old familiar methods, your IT department is about to lose the security battle. People are and remain the weakest link in the security chain, and if you don’t manage to change their IT behaviour, you expose your company to a major security threat.

Fortunately, there is a solution: You can start thinking in terms of “nudging” strategies.

Nudges: are a way of influencing people to choose to make the right choice when they are in the situation. Nudges can be in the form of timely, friendly reminders of the “good” decisions, and this may involve making the “wrong” decisions difficult.

A nudge must not be an inconvenience

However, a nudge must not stand in the way of your colleagues being efficient. To introduce new habits, you need to understand the compromises and takeoffsthat employees make in order to incorporate them. Therefore, new habits and procedures must maintain or improve the efficiency of your colleagues’ workflows.

Although the required research, consideration and work to introduce a nudge may seem overwhelming, you will often be able to get significant and measurable improvements when a well-thought-out security nudge is introduced.

Try these security nudges first

Some security nudges require extensive preparation, and others are both simple and inexpensive to implement. Here you have three ideas for nudges that will increase your IT security from day one:

#1 Lock Screen nudge

It’s hard to get used to locking your screen when you leave it. In many companies, the cure is that cool colleagues switch the unlocked computer to a Justin Bieber theme. Fun, but also with the risk that the Support department must help the person in distress.

Instead, try printing reminders at the bottom of your coffee cups so that employees are reminded to lock the computer just before they go for a refill.

Also, try to keep statistics on how many people remember to lock their screen. Display the “score” of the day in the canteen, and so put positive social pressure on the forgetful.

Also, remember to auto-lock computers when employees are inactive. Find a time interval that balances the security risk with the irritation of a screen locking merely with a 2-minute conversation across the desk.

#2 Avoid phishing nudge

The first step to avoiding phishing e-mails is, of course, a good spam filter. If junk e-mails still find their way through the wall, the next line of defence is the employees themselves.

Try setting up a “warning” that pops up if an employee clicks a link from an unknown sender. Instead of a traditional warning, try writing:

Hi, Tony!

We don’t know “[email protected]” and therefore we are hesitant to open the security door.

Do you know the sender well enough for you to let him in without security checks?

Button 1: Do a security check first

Button 2: [email protected] is welcome

If your colleague clicks on “Do a security check”, then it must be quick. Remember that your colleagues would like to be efficient with the work they are doing. Therefore, if possible, the security check must be automatic so that your colleague gets the response immediately and knows if the link is safe or not.

#3 Nudge with a security post box

A classic hacker trick is to leave USB sticks with your company’s logo outside of your building.

When a friendly colleague finds the USB stick and wants to return it to the right owner, the threat arises: The USB stick is plugged into a computer to find the owner, and the hacker now has access to your system.

The problem with this behaviour is that it’s done with the best intent, and the action is therefore difficult to prevent.

So, try to place a red post box right at the entrance, so that any USB sticks, mobile phones, and other hardware that employees might find can be handed in.

This makes it even easier for employees to be helpful, and ensures that uninvited USB sticks are destroyed and that harmless, mislaid USB sticks are returned to the right people.

Bonus tip: Say thank you!

It sounds elemental, but a simple “thank you” is actually an effective way to keep your colleagues’ focus on secure IT behaviour.

So, when your colleague reports a security threat or remembers to lock their screen, then please say thank you!

Thank them for making your work easier because they secure the company’s data and because they have made an effort.

It can be a thank you e-mail when they contact support, or even better: A handwritten note or a personal “thank you” when you meet them in the corridor. The more personal, the greater the behavioural change you will see.

So, the next time you have to introduce new security procedures, then keep in mind that no one reads your code of conduct and that nobody remembers a security presentation when they are busy.

Instead, help your colleagues remember IT security when it’s most relevant, i.e. when they leave their desk, receive a foreign e-mail or find a USB stick in the car park.

Read more about Shadow IT