Speed Vs. Security – Creating a Strong Security Culture in Your Organization

You have done everything you can to ensure your network is safe and secure. Applications and plugins are up to date. Email protection is in place with the email gateway configured to add digital signatures to emails and an SPF record lists all the official email servers. Endpoint anti-virus scanning not only detects malware but prevents it from activating.

You think you are covered. Well, think again. What about the users? The weakest link in your chain of defenses. As uncharitable as this may sound, it’s a good idea to think of each user on the network as a potential risk. Since most malware requires some action on the part of a user to infect a device or network, one of the best ways to limit exposure is to maximize user awareness.

Life Happens

If your work environment is like most, it’s a busy bustling place. Deadlines need to be met and people are always looking for ways to get things done faster. The only problem is that some workplace efficiencies may come at the expense of security. Of course, the marketing team would like more control over the company website, to add an army of cool new plugins. Of course, the finance team would like to see the macros enabled in all of their spreadsheets. And yes, it may well be the corporate anti-virus that’s slowing down your system. There will always be tug of war between speed and efficiency and the need for security.

In today’s digital DIY environment a little knowledge can be a dangerous thing. And its often those users who consider themselves pretty tech savvy that are the most at risk. The challenge for IT educators is to change the “in the now” mindset, that sees only the immediate need and not the big picture. Deadlines come and go, but if in a torrential rush to make that 5pm delivery a user cuts some corners, disabling security and gets roped into a particularly spoof to install ransomware. In return, they can not only kiss that 5pm deadline good bye, but possibly all the files on their computer as well. It takes just a second of distracted inattention to find oneself and the entire network in a pickle.

This is not to say people should be hamstrung by overly rigid security measures. And certainly if your security suite is causing chronic lag you’ll need to address that before preaching prevention or your message may fall on deaf ears.

Bringing the Security Message Home

One excellent way to get people on board the bus is by extending the argument for good security habits from work to home and back again. As the lines between work and personal time increasingly blur, and with more worker mobility, remote access and double duty devices, it makes for an easy and powerful starting point for the discussion. While users may not have any emotional attachment to the digital assets they manage at work, they might feel differently when talk turns to their personal files like photos, movies, music and other digital keep sakes. The fact is that a single ransomware attack could lock them out from work and personal files. Thus the conversation starts to feel a lot less about what the IT department wants, and more about helping users avoid costly time-consuming and possibly even tragic consequences.

Protection Types

Once your community is open and invested in the importance of security, it’s a good time to do some basic reviewing of the tactical side of security with concrete, achievable recommendations. These may include:
Understanding the Risks

• Real-time anti-virus – It can take less that 20 seconds for an unprotected computer to get infected. This first line of defense is essential and must always be up-to-date and active.
• Phishing – Use concrete examples to sensitize users to the risks of clicking links or attachments from unknown or suspicious senders.
• Ransomware – The effects of ransomware attacks are just as important as the increasingly clever methods cybertheives employ to get you to install them. Keep your users up on the latest threats.

Best Practices

• Strong Passwords –  Enforce the use of complex passwords featuring a number, a capital letter and a minimum length to ensure passwords are strong. You should also encourage users to change their passwords regularly.
• Securing Your Workspace – Many users may not consider the files they are working on as sensitive or valuable, but they may be in for a surprise. Encourage all employees to enable short timed screen locks to prevent risks associated with wandering eyes and intruding thieves.
• Using Unauthorized Software – You don’t want to trample on your user’s freedoms and efforts to improve efficiency, but it’s essential to maintain a whitelist of programs across key categories and a blacklist of absolute no-nos.
• Tech Support –  Encourage users to look to you freely for advice, tips and tricks for staying secure and to approach you when they are unsure about a potential risk.

Sharing the Knowledge

Some great ways to educate your employees inlcude:

• Lunch & Learn Sessions – Users can bring their lunch or order pizza. Discussions need to include how to respond to a security threat and tie in their home use.
• Send Regular Emails to Advise on Security – Provide timely, accurate and actionable security briefs to you users (e.g The SANS Institute posts Security Awareness Tip of the Day) 
• Security 101 – Include security training sessions when a new employee comes on board.
• Cartoons! – Yes, cartoons! Cartoons are a great way to educate in a fun memorable way. Share them via email, on the company portal or intranet and post them to social media.

Summary

Employees want faster and convenient ways to get work done. Unfortunately, the fastest route is not always the safest. You can have all the best practices in place to secure your network but if an employee doesn’t do their part to protect against threats, it can compromise the network and cause damage to the business. Educating users empower them to participate in the security of their work environment.