So the problem is laid out pretty well in this statement:
In a press release about the report, Monu Kalsi, vice-president of Shred-it, is quoted as saying, “The study’s findings clearly show that seemingly small habits [of employees] can pose great security risk and add up to large financial, reputational and legal risks.”
And the suggested fix for this, naturally, is to do more and better training. Now, as a long-time trainer, obviously I will advocate for that as well. Far too many places put a network security tool in place and hope for the best instead of actively involving their users as part of that defense. The article below lays out some good basics for that type of training.
But, I’m waiting for the organizations who take that one step further. After you’ve trained them, will you actually hold them accountable for their actions? When will we see corporate policies that spell out how many of these “small habits” can create actual security problems before you either don’t get to work there any longer, or it starts to impact performance reviews and raises.
Right now, we are starting to see more organizations hold people accountable for sitting through the training. This is good, but how many of them are measuring, in a meaningful and personal way, whether the users are following the procedures they are being trained on? Isn’t it time to consider the possibility that the user who continues to click on fraudulent links and use cloud services and personal devices to access or store confidential information with no regard for security, regardless of what training they’ve received, is more of a risk to the company than a benefit? Even if they are in management.
Or a partner in a law firm.
Truthfully, when we measure the members of our organization, this isn’t one the measurements we use to evaluate them. You get more of what you measure, and less of what you don’t.