View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Making security everyone’s job

By John Oates

Improving an organisation’s cyber security is about changing the way that security is seen by end users and making life easier for them to do their jobs.

Too often security policies make it more difficult for people to carry out simple tasks. If the IT department insists that everyone creates a complex password and changes it every two weeks people are forced to cheat the system because it is simply not possible to create and remember a proper password that often.

Instead people will use a variant on one word which is less safe.

Equally if access to key systems or databases is too restricted then people will share passwords so that people who need the information can get it. Once a password is being shouted across the office it is of no value at all.

Making security everyone’s job first of all means building systems which are easily workable by everyone in the organisation.

Blaming the user as the greatest security risk to the business is no longer good enough.

If people are expected to use dozens of passwords then some sort of password manager application is a better way to do it. Even better to get rid of as many passwords as possible in favour or token or card reader systems.

Content from our partners
Why fashion’s future lies in the cloud
Tech’s role in addressing the logistics talent crisis
Addressing ESG to build a better, more sustainable business 

The first step to improving security might actually be getting rid of useless and annoying layers of security which don’t make the business any safer.

By making users’ lives easier there’s more chance that you can get them to take real risks seriously.

Removing needless restrictions, like passwords for photocopiers, is a good first step.

If security messages are clear, limited and necessary then people will pay more attention.

Think about endless security warnings some systems throw up about insecure web sites – we quickly become accustomed to clicking ‘continue anyway’ because nothing bad happens and stop reading the message.

IT security needs to be seen as an enabler for the business not a barrier – if not people will simply hide what they’re doing.

By providing useable and useful security systems then training staff will suddenly become much easier.

It is also important to create a culture where although security is everyone’s job, it is not everyone’s fault when it goes wrong.

Think about rewarding good security behaviour rather than just punishing bad behaviour. Phishing tests are one example of this.

Many organisations send out periodic fake phishing emails to see who falls for them. But instead of shaming those who fail this could be turned into a more positive exercise by rewarding people, or departments, who spot the dodgy emails.

Equally creating a genuine conversation about phishing – even asking people to send in suspicious emails – can help create a feeling that security is about more than just IT telling people off.

By getting users to inform you about other possible security holes you can create a 24/7 testing system for zero cost.

Cyber security teams need to win users over by rewarding them for doing well and not just take negative actions when they fail. This will help make security part of the psychological contract between staff and the business.

By seeing security as something positive you can effectively increase the size of the security team to include everyone in the organisation. Creating a culture which is both aware of security but also willing to own up to mistakes or possible problems is a difficult balancing act.

But get it right and your organisation will be best placed to deal with whatever the next wave of cyber attacks looks like.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU