In our bubble of InfoSec, we can find ourselves feeling like we are fighting a loosing battle. We write perfect policies – that nobody reads and after your 5th security incident you can feel like you are bashing your head on a desk. The challenge of making security better for all is a hard one – I am sure you would agree. However, we do feel it can be done a little differently!
Well this should be clear cut, the rules are there and users have read them. If they cause a security incident after this point, it’s their fault.
Get Real! This is no different to you reading the terms when signing up to an online service. What makes you think a user on their first few weeks in your business is going to sit down and make themselves familiar with your extensive list of policies. Employees can get-by knowing the bare minimum to carry out their job and your policy may have been read, but has not been absorbed. What is to say your policy is any good? Does it align with the NIST recommendations for passwords yet? Or is it years old? Either way, rules are rules and we have to respect that – but keep them for the board meetings please and stop relying on them to ‘educate’ your workforce.
Education has got to be the next logical step, you have the rules defined but people do not understand them. Your colleagues are good people, so let’s help them.
Most companies proceed to ram home some 57 monthly modules of garbage eLearning in a flurry of annoying emails. If you are new to eLearning, poor examples are like the equivalent of chucking a thesaurus at someone and asking for a good poem. They have all the right words in the right sentences, but lack the core education needed for people to make more informed choices.
Breaking IT down
So people do not read your policy and don’t understand your eLearning… That sucks really. I guess you have to make an important choice – do we purse an unobtainable utopia where your policy is adhered to – every last boring line. Or do we start to change the problem and break down the issues we face and tackle them… Do you really want them to know all 36 of your password policies bullet points? or would you settle for strong passwords used by all? When you actually speak to IT managers, it’s always the same.
“I can’t cope anymore, just get them to use strong passwords, stop clicking the phishing links and lock the doors properly!” – Every IT Manager
Building Them Up
We need to start teaching people about the fundamental actions needed to be safe. Tips on how to actually construct a strong password, tips on phishing; not ‘check the bloody sender, but real advice! Your employees can actually be taught the basics in a few hours. Arming them with these snippets of education is needed and it can be done. Condensing the education and once they have a foundational knowledge, we can then start to combine several advancing layers of security. We can talk about passwords and this can spill out into further learning about phishing. We can teach people about Physical security and this can overlap with tailgaiting, vishing and SMShing. With a little effort you can see some great things happen in your workforce.
Try Our Approach
We believe in arming employees with the skills needed to combat cyber crime. Our informative and interactive eLearning courses are designed to transfer useful defensive strategies. Easy to understand modules teach the essential skills needed by your employees, keeping them safe online – that includes at home. Fewer (or no) annoying emails. Education where you actually learn something useful for your efforts.
We have a demo course available and if you would like to read more about this please visit the eLearning page.
If you do not want to try our way of learning, please be sure to keep focussed on what matters. Try to really engage with people and aim to keep them safe in whatever you do.