No surprise here, but a recent survey shows just how little many employees care about IT security while they’re at work. How can IT managers get them to change their attitudes?
The good news: It’s not as if no one listens when IT talks about security. However, there aren’t nearly as many people on IT’s side as IT managers would like.
Just 39% of employees said they care about security and adhere to policies designed to protect their companies, according to a recent survey from security vendor Avira.
What’s worse, a nearly equal number of people feel the opposite way, with 35% admitting they’re aware of security policies at their employers but don’t feel it matters whether anyone follows them or not. And among the 991 users polled, 25% said they don’t think about IT security at all, feeling that security is a job for IT and not the rest of the business.
Avira recommends regular training sessions to emphasize the importance of working securely and teaching users best security practices.
But of course, it’s going to take more than just basic training to get users to recognize that safety is an important part of their jobs. Here are some training tactics IT managers can try that may have a bigger impact on employees’ attitudes about security:
- Make it personal – Users likely care about security when it affects them personally. Therefore, IT’s security training could include some personal security tips about preventing identity theft and financial fraud. That can help put information security front and center in people’s minds.
- Start at the top – One reason many users don’t believe security is important is their managers don’t think it’s important. IT managers can try sitting down with other leaders throughout the company before training to make sure they understand why it’s important first.
- Issue reminders every chance you get – Any time a user interacts with someone in IT, that’s a good opportunity to send a reminder about security. For example, when a help desk staffer fixes a user’s problem, in many cases, there will be a way to make a connection to some security topic.
- Suggest alternatives when you ban something – In some cases, IT just has to simply say “no” to what users want to do. But other times, there’s an alternative out there that can meet many of users’ needs without creating security problems — for example, if an application users want can’t be installed, there may be a more secure alternative.
- Be wary of accusing or talking down – Some people may tune out IT’s security message thinking it doesn’t apply to them because they’re tech-savvy or because they aren’t criminals. But training should emphasize that smart people — including IT professionals — sometimes make security mistakes, too.
Do you have any advice on getting users to care about security? Share your tips in the comments section below.