For employees, security controls have long been seen as obstacles to overcome rather than necessary precautions for the good of the company. In fact, a 2018 Insider Threat Intelligence Report from Dtex found that last year, 60 percent of users intentionally bypassed security policies with anonymous or private browsing. And, in 91 percent of assessments, employees used company machines for personal email activities, which puts corporate data and resources at a much higher risk for phishing attacks. How can you improve your company’s security posture and minimize risk, without simply mandating the most stringent security procedures?
In a recent column for Dark Reading, Marc Laliberte, senior security analyst at WatchGuard covers three tips to drive user buy-in for security policies. It may seem counterintuitive, but his first suggestion is actually to relax security controls. Here’s a brief excerpt from the article about this tactic:
“As a security professional, I understand the value of advocating for the strongest security possible. To be honest, if I had my way, users would use complex, 24-plus-character passwords, ignore all email attachments, and be blocked from accessing the Internet outside of specific whitelisted websites required for their jobs. But this isn’t realistic. Applying overbearing security policies is an effective way to get employees to ignore sensible security practices out of spite.
On the other hand, by relaxing some rules, IT can drive better policy adoption. For example, easing up on the websites you block can reduce the urge for users to try and proxy or VPN around corporate protections. Allowing less complex (but still secure) passwords can reduce password reuse and dissuade users from simply swapping in a new number when it comes time for a quarterly password reset. In fact, last year the National Institute for Standards and Technology (NIST) updated its password enforcement guidelines to remove complexity and expiration requirements, among other similar changes.”
For more information and to learn about the other two tips for establishing user buy-in for security policies, read the full article in Dark Reading. And for more on the latest security insights, news and research, subscribe to Secplicity.