IT consumerization has given users more control over the technology they use for work — and new ways of misusing that technology and exposing sensitive information to hackers. And in addition to new threats from mobile devices, social networks have given criminals more ways to get a hold of users and perform social engineering attacks.
Those trends explain why more IT security incidents are being blamed on users right now. In a recent Ponemon study, 78% of companies said they’d been the victim of a data breach caused by negligent users at least once in the past two years. And in another survey, 72% of IT pros said careless users were a bigger threat than hackers for their organizations.
The first step to correcting users’ behavior: improving security training and awareness. Here are some tips for IT security training that can get users to care more about protecting company data:
- Make it personal — Many users may be indifferent about the security of the company’s information, but they likely care about security when it affects them personally. Therefore, IT security training could include some personal security tips about preventing identity theft and financial fraud — for example, topics might include “Keeping your kids safe online” and “How to spot phony bank emails.” That can help keep IT security front and center in people’s minds. When possible, show how the same advice can be applied at work and at home, which will help users remember.
- Show, don’t tell — This kind of tip may only be OK in certain work environments, but one way to show users that security incidents are real is to create them yourself. For example, if users keep their email passwords written down at their desks, someone can steal one and send emails using the person’s account. Of course, keep things lighthearted and choose victims wisely.
- Give them a test — Another way to show how lax users’ security practices are is to conduct a threat test before an IT security training program — for example, create your own phishing scam and see how many people are duped. Not only will that alert users to their own vulnerabilities, but the results of the test could also get upper management’s attention.
- Learn from marketers — Many IT security training programs throw a ton of information at users all at once. But most marketers will tell you people retain more when it’s given to them in smaller, more manageable chunks. Users in your company’s marketing department can probably help you come up with other ways to get your security message across, such as writing catchy security slogans on different topics.
- Group users appropriately — One common mistake in IT security training programs is giving users too much information that they already know or that doesn’t apply to them. Therefore, it might help to put users in groups based on technical expertise and the level of sensitive data they have access to, and give them different training. Don’t go overboard to the point where IT is spending all of its time conducting different training programs, but a few tailored sessions can pay off in terms of getting more users to listen.
- Start at the top — Getting buy-in from upper management is essential — users won’t care about security if their boss doesn’t. One strategy is to get them involved in security planning. For example, IT should get their input when deciding on policies and procedures. Make it clear IT security is the entire company’s responsibility.
Do you have any advice on getting users to care more about security or improve IT security training? Share it in the comments section below.