Corporate Culture Shift: Using Adaptive Security to Influence Employee Security Behavior
I’ve heard it many times from customers: “IT Security needs to be transparent to users in order to be successful.” Unfortunately, we are now in a digital age where things have dramatically changed and research has shown over and over that credential compromise is the top way that hackers breach an organization.
IT security worries about creating burdens on employees (and perhaps more importantly, the company executives) because an unnecessary stopping of work affects our ability to get business done. However, with traditional security training proving to be a bust it’s time to change the old mindset of and think out of the box. There are new technologies available that can learn and understand “user behavior” that can be used to deliver stronger security.
We are already seeing changes on the consumer side. Customers are being forced to do some type of multi-factor authentication in order to proceed with transactions in banking. And we also see it with retail companies who use multi-factor authentication to prove identity before gaining access to user account support.
As people in our regular day to day life we are now being trained to use the new multi-factor techniques in order to access and proceed with what we are trying to do. So, now is the time to turn these same types of secure access and verification techniques inwards into our own companies. It’s time for a corporate culture shift because I don’t think we can keep doing the same thing and expect a different outcome in our businesses. People need to be part of the process.
4 Ways to Successfully Make the Shift
At Preempt we work with customers to help them be able to analyze their employee’s behavior based on Identity, Behavior and Risk. Based on the overall risk of these three factors, we can situationally respond and engage with a user in real-time to do identity verification to ensure that legitimate users are getting legitimate access or that they can enforce policy when someone is trying to access systems outside policy, or to even identity malicious activity and stop it in its tracks. This adaptive approach helps reduce burden on security teams and prevents real threats without stopping employees from getting their jobs done when they need to.
If you think your users are worried about embracing a new way of working or accessing the applications and systems they normally do, there are some key steps to make it a more successful transition.
Be Open with Employees:
Tell them why you are implementing these new techniques and why it’s so important both for their own security and the company’s. After all inside the organization employees biggest asset is their identity and their integrity. If their identity is compromised someone (insider or external hacker) may get access to their deepest work secrets that they shared over email or collaborate on files. We have learned that employees are willing to invest effort when it is about things they care about – their identity.
By telling employees that they are now part of something important, that they are part of the company’s security fabric, can make each individual feel more inspired and feel like they are doing their part to help keep their company secure. You are empowering them by telling them that these changes and their participation is important. why you do this, how it is done, how you are alerted, what to do in case you believe it is fraudulent, what happens, are there external drivers for this such as regulations and more…
Start by defining simple policies to get people used to a new way of business. For example, perhaps start with implementing user engagement based upon location to start. If an employee is working from home and trying to access a work server, have them do a two step verification but tell them why they are doing it. The company is implementing this in order to keep the user’s identity and things they access safe. In turn, this keeps the company more secure. While people may initially complain they have use their phone, they will understand it and over time will become commonplace and easy. They do it all the time in their personal lives, now they are doing it at work too.
Start a company wide security commitment campaign that provides a statement that aligns everyone on the goals so they are on the same page. Appoint/assign a clear point of contact. It takes time to adjust user behavior. By being honest about how the company is working to find new ways to secure employees and the company and explain there could be some bumps along the way as people learn a new way of interacting with internal systems. As the company transitions into this evolving digital age, people will be more prepared for change.
Focus on Low Friction:
When getting users to change behaviors and accept new ways of working, it’s important to focus on how to make it achievable. Going down this path can help with productivity and security gains with security teams now able to open up more access which previously was not possible. Now employees that work from home can do so with less limitations because there are automated security measures in place to ensure the company remains secure.
Transparency Drives Change
Being upfront with employees on how you are changing the security fabric in the organization and how every user is a critical piece of the process will drive positive user experiences and eventual success.
To learn more about how customers have successfully implemented adaptive threat prevention based on identity behavior and risk and have engaged users into the security process, contact us and we’d be happy to set up a consultation on how we can help implement this type of approach in your organization.
Posted by Heather Howland on January 12, 2018 7:19 AM