For employees, security controls have long been seen as obstacles to overcome rather than necessary precautions for the good of the company. In fact, a 2018 Insider Threat Intelligence Report from Dtex found that last year, 60 percent of users intentionally bypassed security policies with anonymous or private browsing. And, in 91 percent of assessments, employees used company machines for personal email activities, which puts corporate data and resources at a much higher risk for phishing attacks. How can you improve your company’s security posture and minimize risk, without simply mandating the most stringent security procedures?
In a recent column for Dark Reading, Marc Laliberte, senior security analyst at WatchGuard covers three tips to drive user buy-in for security policies. It may seem counterintuitive, but his first suggestion is actually to relax security controls. Here’s a brief excerpt from the article about this tactic:
“As a security professional, I understand the value of advocating for the strongest security possible. To be honest, if I had my way, users would use complex, 24-plus-character passwords, ignore all email attachments, and be blocked from accessing the Internet outside of specific whitelisted websites required for their jobs. But this isn’t realistic. Applying overbearing security policies is an effective way to get employees to ignore sensible security practices out of spite.
On the other hand, by relaxing some rules, IT can drive better policy adoption. For example, easing up on the websites you block can reduce the urge for users to try and proxy or VPN around corporate protections. Allowing less complex (but still secure) passwords can reduce password reuse and dissuade users from simply swapping in a new number when it comes time for a quarterly password reset. In fact, last year the National Institute for Standards and Technology (NIST) updated its password enforcement guidelines to remove complexity and expiration requirements, among other similar changes.”
For more information and to learn about the other two tips for establishing user buy-in for security policies, read the full article in Dark Reading. And for more on the latest security insights, news and research, subscribe to Secplicity.
kurt says
removing expiration requirements – with the amount of phishing scams attempting to get users to provide their credentials in fake websites, is this really a good idea?
Marc Laliberte says
Recent studies have found that enforcing mandatory password expirations causes users to choose less secure passwords than they would if there was no mandatory expiration. That isn’t to say users should never reset their passwords, especially if they have fallen victim to a breach or phishing scam.
A few years back, the Chief Technologist at the FTC wrote an excellent blog post on this topic citing a few studies. It is well worth a read! https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes