There is a growing threat looming to corporate computer security in the attitudes of younger workers to technology, according to a report issued Wednesday by Cisco Systems Inc. The solutions as I see them are written between the lines below, as the article describes the “reasoning” of those “young workers” surveyed. In my incident response experience, it isn’t just the young folks, either.
- One-third ignore policy because they don’t believe they’re doing anything wrong.
- [This is an educational and awareness issue.]
- 22% did it because they needed to access unauthorized apps to do their job.
- [This is an HR and compliance issue. If they can’t do their jobs without breaching policy or security, they were the wrong hires.]
- 18% said they do not have time to think about policies when they are working.
- [That is 18% that need awareness sessions focusing on recent events. They could do with some time away from work, thinking about security & policy.]
- About 19% said they did it simply because the policies aren’t enforced.
- [This is an enforcement issue, should be addressed in a security program, and employees made aware of new monitoring and enforcement efforts. If it aint enforced, it aint policy.]
- About 16% said adhering to the policies is not convenient.
- [This is an educational issue, and should be 100%. Policies are not INTENDED to make things convenient, they are intended to make things safe, secure and reliable.]
Educational issues should be addressed by placing someone with authority in front of the subjects, explaining the policy to them, the reasons for the policy, the fact that when they do foolish things they risk their own jobs, the reputation and well-being of the company, the jobs of those around them, and highlighting the impacts to their employment that continued violations could have.
Awareness materials should be developed based on current issues the company faces, and should be updated and offered regularly.
HR issues can only be addressed through screening and monitoring. Those who cannot operate under the governance and rules of the company belong with the competition. People who don’t think about security are not thinking. Do they protect their PIN? Do they walk down dark alleys flashing cash in hand?
There are not enough policemen to patrol every street, so are they running red lights because that is hard to enforce?
Convenience is the blunt and comforable end of the stick. They are not being paid to be comfortable at the risk or cost of the company and its customers.
Just my 2¢ from the pointy end of the stick. Suck it up, “young workers”, we all want to keep our jobs…