I love the new TV show "Scorpion", which depicts extreme geniuses Walter O'Brien and his team solving high-risk crisis scenarios using nearly impossible solutions. As everyone should know, the real-life Walter O'Brien, whose high IQ and comparable achievements spawned the basis for the TV drama actually identified the brother terrorists who were behind the Boston Marathon bombing, according to CBS, Boston.
O'Brien comes by his intellect naturally. Enterprises are still searching for manmade means to effectively spawn higher Security IQs among employees whose risky behavior welcomes attacks right in the door.
How We Treat Low Security IQs Today
Whether you call it a low security IQ or a lack of awareness and discipline, employees make bad security choices. You can't get through a month now without hearing about another major corporate data breach. The kicker is that the low security IQs that adversely affect enterprise data also lead the enterprise.
The Ponemon Institute recently surveyed more than 1,000 international enterprise employees, mostly senior-level people, about risky security behavior. The results are an unsettling trip down corporate "Disturbia" lane.
According to the report, "Breaking Bad: The Risk of Insecure File Sharing", half of surveyed participants indicated that they don't know whether their enterprise can manage and control user access to sensitive data or how employees share and distribute data. Sixty-one percent of those surveyed in the same report say they often share files via unencrypted email, don't follow policies that dictate when to delete confidential documents, and accidentally send files to people who the company has not authorized to have or view them.
Perhaps the enterprise shouldn't promote those who click before they think, but being too harsh or expecting too much from employees does not help either. Taking a punitive approach to modifying risky employee behavior is a key challenge to success in raising security IQs. "A punitive approach leads to counter reactions where employees become disengaged and don't want to be forthcoming when there is a security issue," says Scott Greaux, Vice President of Product Management, PhishMe.
Equally oppressive is the tendency to overwhelm employees with too much information about security issues or with information they can't grasp. "You don't need to tell everyone everything or to have them be security experts. Simply make sure they understand the risks that they face," says Greaux.
Solutions for Raising Security IQs / What Does It Take?
To raise security IQs, security departments must be available, appreciative, and responsive as sounding boards for any security issues that an employee would even consider sharing. "For example, have a method by which users can forward a suspect email to a trusted party who can determine whether it is clean or malicious," says Rich Owen, CISO, American Traffic Solutions and Hall of Fame Member, the ISSA. These are opportunities to involve and engage employees, teach them, and help them sharpen their skills and judgment for spotting phishing and other attacks.
Enterprises should reward their end-users for reporting suspicious emails; notify their boss that they are active in protecting the company. It's good for positive reinforcement and morale. "Each month take the list of people who reported suspicious email and randomly select one or more for a $100 gift certificate," says Owen, who avoided $20 million in costs in the development of the Shuttle Systems security program for Mission Operations at Johnson Space Center, NASA.
Owen's most effective reinforcements to achieve higher security IQs over time include: give a $100 gift certificate immediately to an employee who reports a significant security issue; take no action when an employee opens an infected link or document but reports it immediately; and, include following security standards and procedures in everyone's job description.
Use What You Have
Enterprises should exercise their creative muscle to squeeze everything they can out of security measures and incumbent opportunities for reinforcing employee security consciousness. For example, while enterprises can use Data Loss Prevention (DLP) technology to simply monitor and block attempts to funnel data out of the organization, they are missing out on a great opportunity if that's all they do with it.
"I used DLP to monitor outgoing email, looking for unencrypted PII. The business monitored these events and flagged the ones we needed to closely examine. If an employee sent something they shouldn't have, we had a conversation with them and used it as a teaching opportunity, not as a means to get someone into trouble," says Michael Eisenberg, Global CISO emeritus, AON Plc.
"We clarified with the employee whether they should have sent the information in an encrypted form and ensured they were aware of circumstances that require encryption. Employees were genuinely concerned during these discussions, which achieved strong behavior modification," says Eisenberg.
AON Plc used DLP first to detect the number of instances of employees attempting to send unencrypted PII (Social Security numbers, for example) out of the enterprise. As the subsequent interventions and conversations lead to fewer instances, the company was able to gauge its progress and fine tune the conversations for increasing effectiveness. This was literally a definable metric for the state of security behavior and its decline or improvement.
"Anyone can simply start blocking emails and never let employees know that they blocked their communications. The maturity play is to use DLP to understand the risks and address them with employees in the environment in order to make a difference," says Eisenberg; "if you don't use DLP to teach people what you expect then you are doing them and yourselves a disservice."
Sim Tools Rule
Enterprises should use tools that educate about specific, high-risk employee behavior. Opening phishing emails is one of the most high-risk employee behaviors. There is a tool called PhishMe, which enables an enterprise to send a harmless phishing email to employees to determine what is the end-user susceptibility to this kind of trap. (Similar threat simulation tools include ThreatSim and tools from Wombat Security Technologies including PhishGuru, SmishGuru, and USBGuru.)
"Then you can let them know that they have fallen for a mock phishing attempt. It makes them think twice about opening those emails," says Eisenberg; "as much as we educate people, a lot of them don't know about phishing." The enterprise must include specialized education about phishing for executives and engage them as well. "It's easy to locate and target executives whose names are on public websites. LinkedIn has made it easy for hackers to perform reconnaissance of the enterprise," says Eisenberg.
Make It Personal
Select people from among employees to become security champions. Empower them to help their peers in the environment. Recognize employee success, both in roles as champions and as advocates of security. Use games and contests to reinforce methods for securing the environment. Enable employees to submit ideas and methods to improve processes and behaviors for good security practices.
"Help people with something they are concerned about in their personal lives. Share a one-pager with several methods to protect their credit card information at home and throughout their lives. The goal is to establish protection for their personal information, but it all applies to the organization as well. Build that win-win approach into the colleague community," says Eisenberg.
By learning to stimulate what drives people and to harness that drive, any enterprise can sharply curb bad security habits.