Something I’ve written about a lot lately is how companies don’t have a real “culture of security.” That applies not just to IT, in most companies: you see it everywhere. Printouts (containing important information) lying around on printers, no widely-available shredders, cabinets not locked, that kind of thing.
We tend to treat security as something we “have to do,” and especially when it comes to IT that attitude derives in part from most companies’ regard of IT in general as “overhead.” Security gets lumped in with sexual harassment training, diversity training, and other stuff we know we have to do, but that we don’t really consider to be a part of the core business. In fact, in most companies, security is something users try to work around, rather than work within, leading to them (for example) using Dropbox to transfer files with outside contacts, instead of using a company-provided, more-secure mechanism.
That’s a shame, because security is, and should be, very much a part of the business. Unless everyone is on board with security, all the time, security doesn’t happen – and that’s when things like Target, Marshall’s, or any of the other recent debacles happen.
So how do you make security a part of the company’s culture? It’s really hard. Maintaining a general sense of security essentially means being on “orange alert” all the time, and humans just aren’t designed to stay that alert all the time. In other words, you probably can’t make your users constantly aware of security. Instead, security has to become an ingrained habit – and building habits often means breaking old ones, and that’s what’s hard about it.
Take a construction site: any worker with any experience just pops on a hardhat, steel-toed shoes, and other personal protective equipment as a matter of habit. New workers have to be trained, usually through outright and continual nagging by their boss and coworkers. But eventually habit kicks in, and they stop thinking about safety and “just do it.”
Or consider folks who know it isn’t safe to drive a car and talk on a cell phone, and who instead develop a habit of walking around with a headset sticking out of their ear. Yeah, they might look like a dropout from Uhuru school, but it’s a worthwhile habit that prevents them from doing something stupid or unsafe.
Security has to be build up as a set of habits. Habit-forming can’t happen through company memos, once-a-year classes, or ubiquitous signage. Habits form through personal experience, and only through personal experience. They’re especially tough to form in areas where users work independently, like sending e-mail. One way to start developing good habits is, not surprisingly, through game-playing. For example, if you’re trying to break users of the habit of opening janky email attachments, start sending a few yourself. Make a little “virus” that logs the fact the user opened it… and keep track of users who do, and who do not, open it. Publicly acknowledge those users who do not open the email, and award them points or something; deduct points from users who don’t follow the rules. Get HR involved, and let users redeem points for an extra day off or some other perk.
Toys ‘R’ Us used a similar program to help deter shoplifting: cashiers are supposed to open and inspect any container that a customer purchases, like a small box or a lunchbox. The idea is to catch customers who are trying to sneak other merchandise into the container without paying. To enforce the policy, the company would insert a voucher into random containers. Cashiers who found the vouchers would receive a small cash award – enough incentive that everyone wanted to inspect containers. That want quickly became habit for most cashiers. The carrot came with a stick, too: if a customer found the voucher and brought it to the store with their receipt (meaning the cashier hadn’t checked the container), the customer got a prize, and the cashier (identified on the receipt) got disciplined.
Regardless of the political or financial realities at your company (in other words, think “blue sky” here), what might you do to entice users to develop better security habits? It doesn’t matter if you think your organization would use your ideas or not – share in a comment, in case someone else might benefit!