by Tom Cochran | 1:05 PM June 28, 2013
Ten months ago, I was in charge of digital technology for the White House, where security was the top priority and it was inexcusable to let your guard down. Today, I make strategic and tactical technology decisions as the CTO of Atlantic Media. In a media environment, security is often trumped by functionality, convenience, or cost. It's frequently seen as peripheral or even an impediment to business operations.
In fact, many organizations face a similar problem: Tighter security introduces minor inconveniences into workflows, so employees don't comply. In Verizon's Data Breach Investigations Report, 97% of breaches could have been avoided through easy, simple controls. According to one study, 91% of all cyber-attacks are the result of phishing emails, another completely preventable attack. From my position, those are horrible odds. I would be guilty of dereliction of duty if I didn't take steps to mitigate this risk.
But how would I go about it? Would it start with educating the employees at my company? The problem with this solution is that people are inherently fallible. They will make mistakes, regardless of awareness training. Unfortunately, for most people, the cost of modifying comfortable behavior is too high. To the average employee, fixing bad digital habits yields intangible benefits and often creates annoying inconveniences.
Another strategy is to issue a corporate dictum announcing tighter security policies, though it likely would be perceived as draconian. This policy would be more effective than a call to take personal responsibility, but still doesn't address the fact that most employees don't fully understand why they need to change habits. Digital naiveté leads people to believe that bad things won't happen to them. (I should introduce them to Matt Honan.)
What about mandating tighter security policies on your systems — stronger password requirements, for example? Increasing the length and alphanumeric complexity is more secure, but introduces the issue of employees not being able to remember their own passwords. This solution erects a barrier, which will be perceived as hindering daily operations. Employees will receive the (intangible) benefit of security — which, to many, will seem more like a costly burden.
None of these campaigns were going to sell the benefits of greater security — not until employees understood the threat's reality. The only way to affect systemic, lasting cultural change at the company was to make the cost of not changing bad digital habits greater than the perceived cost of changing them.
To do this, I needed to demonstrate the ease at which someone could be scammed into handing over their password by sending a fake phishing email to the entire company. I sent the phishing email on a Friday afternoon and two hours later, I had the empirical evidence. Almost half of the company opened the email, and 58% of those employees clicked the faux malicious link.
Rhetoric wouldn't resonate with the masses. But now, I had data to back me up. Through this experiment, we raised that probability of a data breach dramatically. Hacking was now a high cost and probable event. Through company-wide awareness, the experiment's outcome effectively increased the cost of not improving personal security.
The follow-up email I sent to the entire company was sobering and extremely effective. We had irrefutable evidence to support an upcoming policy change, which would have been viewed previously as constrictive.
The company would enforce 2-step verification for all employee email accounts, which requires a second action (like entering a six-digit code from a text message) after entering one's password. This is a vastly superior form of security: Even if someone steals your password, they will be unable to hack into your account without also stealing your phone. Major social networking sites like Facebook, Twitter, and LinkedIn use similar log-in mechanisms.
The phishing experiment attained the crucial buy-in of employees; now that they personally understand the dangerous implications of not following the rules, they're more willing to take data security seriously. People are more apt to learn from an experience than listen to a recommendation or policy. Just like a regular office fire drill, senior leadership should be running random phishing drills to give them that experience. And, the experiential learning doesn't stop with these emails.
Placing someone in a cyber attack drill is the safest and most effective tactic to build the company's collective security intelligence. It successfully opens everyone's eyes and paves the way for a serious conversation about the initiatives I mentioned above — increased training, more effective policies — and this time, our employees just might listen.
No comments:
Post a Comment