Every time the details of a new security breach hits the headlines, something is made clear: Security tools and solutions aren’t working. Yet businesses continue to throw more and more money and technology at the problem.
It’s time to look at the human factor, which means understanding why individuals engage in risky or dangerous online behaviour. It also means trying to get them to understand the risks, and change that behaviour accordingly. It means taking a human-centric approach to security.
Being human centric means knowing that users will do risky things not because they are careless or malicious, but because they are focused on what they are doing, and security takes a back seat. They may be unable to resist clicking on a link in an email, or visiting an unsecured Web site. They will also use unsanctioned applications and devices on the corporate network, because they don’t have the tools they prefer, and want to get the job done.
Many people cut security corners because it makes it easier for them to accomplish the task at hand, and this is why policies around users need to be flexible, and instead of just a blanket policy banning x or y in the workplace, rather steer them towards the ‘secure way’, when they are unsure of what to do.
Businesses need to understand and accept the human risk, and try to manage the outcomes of human behaviours.
Think about a staff member trying to send a proprietary or confidential work document to his or her personal address, or via a messenger. If you always block or allow these, productivity could be hampered and data could be at risk. A human centric approach would be letting the employee know that this is dangerous, and making him or her decide if the risk is worth it. If they go ahead, they would have to take full responsibility for their actions.
Another way of managing the human risk would be to automatically encrypt all data that leaves the organisation, so that it can only be accessed on authorised systems, and by authorised users. They would be unable to share that data with any illegitimate user.
Encourage users to co-operate with security policy. All individuals need to feel valued and respected, so steer them in the right direction, and let them understand the consequences of risky behaviour. If you do this, you will achieve greater productivity, and improved security.