Part four: Supporting user experience through education
By François Amigorena, CEO, IS Decisions
The bigger the organisation, the bigger the threats can be — all it takes is one small mistake from an employee and the whole organisation can be put at risk. But at the same time, it’s not practical to be there to hold every employee’s hand and ensure that they always do the right thing. Ultimately you need to empower employees with clear guidance and training about the risks and then trust them to make the right decisions about downloading unsolicited attachments or sharing passwords.
Our guide UX versus User Security features a survey of 500 IT Security Managers from the UK and US which confirms that employees on both sides of the Atlantic generally do feel trusted by their employers, with only 1% strongly disagreeing. However, when asked if they felt empowered to make the right security choices there is a bigger divide of trust — 80% agreeing in the US compared with just 56% in the UK.
Most organisations base their trust in employees on an assumption that if they give staff the right advice that they will take some personal ownership for their part in the organisation’s security. To a certain extent that is true, but it can’t be taken for granted because at end of the day employees have a job to do, so in times of high stress the organisation’s security can easily fall off the priority list.
My advice to help your employees avoid careless mistakes and discourage malicious activities is setting up real-time IT security alerts and notifications to go directly to them if their credentials are being used elsewhere (rather than just the sysadmin). These alerts can be set up alongside admin-controlled restrictions designed to stop careless behaviour on the spot. By giving employees more visibility, they not only feel empowered to show good user security behaviour, but you also defend the organisation against those with malicious intentions.
It is obviously important for organisations to have a way to detect possible compromised credentials. But it is not just about detecting a breach, it’s important to have security protocols in place to help minimise data loss as quickly as possible. And if your employees are trained to notice when something is not right and flag it as soon as possible, it can really help minimise this loss.