To Maintain IT Security, You Might Need to Annoy Your Users
We've posted quite a bit about best user practices to maintain the integrity of your IT infrastructure, especially strong password hygiene, the use of antivirus/antimalware, and the importance of backups in the case something goes awry. With user negligence causing up to 68% of breaches, according to a Ponemon Research study, these practices are essential. But how can you make sure your employees adhere to them?
A recent article covering the Clinton presidential campaign staff methods to encourage information security reveals one major secret to IT security: being kind of annoying.
Keeping I.T. Safety Top of Mind
In the words of Harry Potter's Mad Eye Moody, constant vigilance is one of the best methods to avoid cyberattack, whether you're facing DDoS, phishing attacks, viruses, or the current scourge of IT departments across the globe, ransomware.
In other words, train your staff and remind them regularly about cyber dangers like clicking on unsolicited links, providing login details via e-mail, or re-using the same password across a variety of services. This isn't really new advice, but the Clinton campaign took things to new levels.
They would send regular fake phishing e-mails to staff members to see how they would respond. After a round of these tests, they would report back to the staff during regular meetings to let them know what they clicked on that they shouldn't or which addresses they replied to that could have been from outside the campaign. In addition to these tests, they would even plaster the bathrooms and public areas with signs, reminding users not to share their passwords, or slogans like, "Don't click on that link, stop and think." Staff meeting agendas included infosec updates from the IT director, making him an essential piece of the overall campaign strategy and success, rather than a typically overlooked role that is only consulted when technology isn't working properly.
"But wait," you may object. "The Clinton campaign got hacked, didn't they?"
It was actually the Democratic National Committee's servers that were hacked, with e-mail subsequently published by Wikileaks. With extremely sensitive e-mail ranging from secret campaign strategy to potential national security issues, the Clinton campaign had good reason to keep IT security top of mind for its staffers.
Users may not be happy with constant reminders about their lax security, so you might need to include the risks at hand when describing the importance of IT safety. Insider threats remain a top cause of data loss or other breaches, particularly ransomware, which can cost tens of thousands of dollars in ransom if you do not have a recent backup and can't afford to lose your latest data.
Here are some mild annoyances to continue reminding your users about:
- Keep personal and work information separate -- do not mix corporate info with personal accounts
- Keep all antivirus and antimalware software enabled and up to date
- Maintain OS and other applications, installing all new updates as they arrive
- Use two-factor authentication where possible
- Have strong password requirements and enforce mandatory password changes regularly
- Carefully read all e-mails for signs of phishing, like strange e-mail addresses, suspicious attachments, or links to reset passwords that were not requested
- Keep IT directors, CSOs, or other I.T. leadership involved in business planning and staff meetings
- Publically remind staff of security best practices with e-mails, signs, or even contests
Nobody likes a nag, it's true. And everybody groans when the reminder to change an expired password pops up, or becomes frustrated when they fail to meet password requirements for their first three attempts to set a new one, only to find their fourth attempt is actually their last password. But with clear and regular communication from your IT staff, employees will soon take cyber hygiene as second nature.