• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

User Buy-in – The Key to Better Corporate Security

June 19, 2018 By The Editor

For employees, security controls have long been seen as obstacles to overcome rather than necessary precautions for the good of the company. In fact, a 2018 Insider Threat Intelligence Report from Dtex found that last year, 60 percent of users intentionally bypassed security policies with anonymous or private browsing. And, in 91 percent of assessments, employees used company machines for personal email activities, which puts corporate data and resources at a much higher risk for phishing attacks. How can you improve your company’s security posture and minimize risk, without simply mandating the most stringent security procedures?

In a recent column for Dark Reading, Marc Laliberte, senior security analyst at WatchGuard covers three tips to drive user buy-in for security policies. It may seem counterintuitive, but his first suggestion is actually to relax security controls. Here’s a brief excerpt from the article about this tactic:

“As a security professional, I understand the value of advocating for the strongest security possible. To be honest, if I had my way, users would use complex, 24-plus-character passwords, ignore all email attachments, and be blocked from accessing the Internet outside of specific whitelisted websites required for their jobs. But this isn’t realistic. Applying overbearing security policies is an effective way to get employees to ignore sensible security practices out of spite. 

On the other hand, by relaxing some rules, IT can drive better policy adoption. For example, easing up on the websites you block can reduce the urge for users to try and proxy or VPN around corporate protections. Allowing less complex (but still secure) passwords can reduce password reuse and dissuade users from simply swapping in a new number when it comes time for a quarterly password reset. In fact, last year the National Institute for Standards and Technology (NIST) updated its password enforcement guidelines to remove complexity and expiration requirements, among other similar changes.”

For more information and to learn about the other two tips for establishing user buy-in for security policies, read the full article in Dark Reading. And for more on the latest security insights, news and research, subscribe to Secplicity.

Share This:

Related

Filed Under: Editorial Articles

Comments

  1. kurt says

    June 20, 2018 at 11:36 am

    removing expiration requirements – with the amount of phishing scams attempting to get users to provide their credentials in fake websites, is this really a good idea?

    Reply
    • Marc Laliberte says

      June 20, 2018 at 11:49 am

      Recent studies have found that enforcing mandatory password expirations causes users to choose less secure passwords than they would if there was no mandatory expiration. That isn’t to say users should never reset their passwords, especially if they have fallen victim to a breach or phishing scam.

      A few years back, the Chief Technologist at the FTC wrote an excellent blog post on this topic citing a few studies. It is well worth a read! https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • The White House Tackles AI
  • The Threat Actor That Hacked MGM
  • What to Expect from NIS2

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Grading our 2023 Security Predictions
  • What to Expect from NIS2
  • Combined Cyber and Kinetic Warfare
  • The White House Tackles AI
  • The Threat Actor That Hacked MGM
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use