Simplifying Cybersecurity Requirements for Employees

Cybersecurity requirements we give employees are too complicated.

That’s the conclusion drawn by Maarten Van Horenbeeck, writing in the November issue of the Harvard Business Review.

“One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose. For example, password policies are so complicated and inconvenient that most employees just ignore them.”

Citing that latest Verizon Data Breach investigation that found phishing attacks are the cause of 90% of all data breaches and security incidents, Van Horenbeeck, wrote, “Clearly, employees are the main gateway into the organization for attackers. As a result, they are also the first line of defense.

The Verizon report found that employee notifications are the most common way organizations discover cyberattacks. So, arming these “sentry” employees with information they need to identify attacks is a critical part of a company’s overall security program — and yet most companies fail at this.”

Security Training Is Not Effective

Van Horenbeeck also takes aim at companies’ security training, call it a waste of time.  “They are shuttled into mandatory half-day security training sessions, at which they often spend time staring at their phones or pretending to pay attention. It’s too much information to expect someone to absorb and remember, but for IT, it serves a purpose: enabling admins to report back to their department heads that they have trained employees on security best practices.”

A better strategy, according to Van Horenbeeck, is to customize training, providing targeted information to specific individuals in a way and time they are most likely to be receptive to and able to learn from.

Similarly, most internal security tests are too broad and unfocused. For example, IT departments tend to do phishing tests by sending out the same fake email to all employees.

Another key element to improve security is to build trust between the IT Department and the rest of the employees.  Frequently, IT is seen as traffic cops, rather than an ally with both sides having a shared mission to ensure security, Van Horenbeeck writes.

“The single most important thing companies can do is improve the relationship between IT and employees, who are the closest to the data and devices, and thus in the best position to discover and report security anomalies and incidents.”

Maarten Van Horenbeeck is a security manager who formerly led Amazon’s Threat Intelligence Team and held security roles at Google and Microsoft. He’s currently Vice President of Security Engineering at Fastly.