When IT security teams embark on efforts to ingrain a culture of security within an organisation, it is going to be counterproductive to treat users with contempt, delegates at the SC Congress heard. Because culture in this context can be defined as what people actually do when no-one is watching them.
Speaking at a keynote speech at the conference, being held in West London, John Scott, head of security education at the Bank of England, said that initiatives to build up a culture of security within businesses can fail if users are singled out or ridiculed for the mistakes they make.
He said that exercises where IT security teams send out phishing emails to see if any users click on them can risk "alienating staff".
"Phishing exercises should be an educational exercise to show people what a phishing email is," he said. He urged IT security teams to run a phishing school. "Teach staff about how phishing works and how to avoid it." Such exercises should be in place of shaming users who fall for scams.
He said that some time ago, he visited a trade show where someone was giving a presentation on building a security culture. The person in question said that a typical user was "stupid". Scott said this line of thought was not conducive to creating an atmosphere where users took security seriously.
He added that this highlighted the need for cyber-security teams to "think carefully when interacting with staff, don’t hold staff in contempt."
Treating user with respect is only part of what cyber-security teams need to do when making their organisations more security conscious.
Scott said that cultural change is a "move from compliance to maturity".
"Ask yourself what your maturity behaviours are. Are you using a password manager? Are they uncrackable?"
Organisations would be well placed to use gamification to improve the security culture - explaining that this was oftern about rewards for carrying out repetitive tasks. Scott said that one approach was to mandate long passwords and tell staff that these passwords would not expire unless they were hacked. Then security teams would be tasked with hacking passwords in the AD database. If a password could be hacked, a user would be told to change it and the game would progress until a user had a password that couldn’t be cracked.
Another way to encourage good security behaviour among users would be to reward positive behaviour rather than singling out those who, for example, 'fail' phishing tests. He cited an occassion where IT teams went go from desk to desk checking that people maintained a good level of security hygiene. Those that do so then get a thank-you and a chocolate; those that don’t, get nothing. This means that those who haven’t aren’t embarrassed in front of peers, but do realise that their behaviour is not typical as they may well try to find out why they haven’t been 'rewarded'. This gives the security team a chance to educate users into good security practices.
This can also be an opportunity to find out where security is a barrier to productivity.
"It’s good to talk, you need to get staff to tell you where security is hurting," said Scott.
In addition to providing an eight step approach to achieving a security culture, Scott also simplified it down to two steps: eliminating those negative actions that are detrimental to security - which are the actions for which there should be strict policies and procedures, that, once applied, achieve a neutral, rather than negative state. Then there are those positive actions which enhance security, which need to be encouraged and incentivised, as they are often 'voluntary' but the sort of actions that will not be taken if they are not understood and agreed with by staff, or seen as impeding ability to perform their role. And if the staffare taking such actions, of their own volition, when no-one is 'looking', then a security culture has been engendered.