If you are approaching your end-user security awareness training program with an ‘us vs. them’ mentality, be warned: This mindset can breed resentment and distrust — on both sides — and undermine your efforts to build a more secure culture.
How to Get on the Same Side of Cybersecurity Education
With the significant challenges present in today’s business climate, it’s natural that infosec teams are doing all they can to control their own destinies. It’s also natural for them to be frustrated by the fallout from end-user mistakes. The devices, the email accounts, and the errant clicks and downloads all belong to the employees…but the responsibilities for remediation fall to you and your staff. And many of the issues you deal with — like successful phishing attacks, credential compromise, and malware and ransomware infections — are preventable.
All that being said, allowing those frustrations to manifest into an “IT vs. end users” cybersecurity mindset doesn’t solve the problems. Actually, it compounds them. This type of approach can leave end users feeling disrespected — even though they are often highly skilled and very capable of doing the jobs they were hired to do. If they are treated simply as security liabilities, rather than as valued organizational assets, employees start to resent IT’s role in their day-to-day activities. Even simple safeguards will begin to be ignored if the employees feel that regardless of what they do, it won’t matter. It’s a recipe for apathy at best, and an environment that breeds deliberate security infractions at worst.
If you or your staff have drifted into this way of thinking, it’s time to reset your collective mindset. The behavior change won’t be immediate, but you have to start somewhere. It may seem a bit “touchy feely,” but you essentially need to adopt a new outlook. These tips can help you:
- Consider how your users feel about IT. Cybersecurity is not their specialty. Some things are difficult to understand and, given how quickly the threat landscape can shift, it’s not only unrealistic to expect non-IT employees to keep up, it’s unfair.
- Believe that your users are capable of change. You’ve learned many new skills as you’ve moved along your career path. So have your users. Sure, a lot of cybersecurity best practices aren’t rocket science, but they aren’t instinctive either. Learning can’t happen via osmosis, but it can happen through opportunity.
- Give it time. You didn’t learn about ransomware and phishing prevention, password management techniques, mobile device security, and other best practices in a few minutes a few times a year. Don’t expect your employees to “get it” from occasional videos, presentations, and/or emails. Give your users the courtesy of learning and improving over time.
- Accept that mistakes will happen. Software patches aren’t always applied in time. Spam filters don’t catch everything. Anti-virus software is never fully in front of threats. In the same way, end users won’t spot every phishing email or avoid every dangerous website. Any insurance rep will tell you that 0% vulnerability is unachievable on all fronts. Stop chasing zero and start focusing on risk reduction rather than risk elimination.
If you feel the need to draw a line, know that the only truly useful “us vs. them” cybersecurity mindset is “your organization vs. the attackers who would do you harm.” Work to bring your end users into your corner, and help them gain the knowledge they need to improve your security posture. You are in this together, so do it together.
Seeking more advice about dealing with risky end-user behaviors? Register for the replay of the August 30 SecureWorld webinar to hear what a panel of cybersecurity experts have to say about handling ongoing issues and implementing escalation paths.
