It’s one thing to put systems in place to protect your company, another to have them enacted. Security is a big enough problem itself, but in companies around the world, employees fight security. Keep in mind we are talking about action taken to disobey policy, not just naiveness. For example, I’m sure you have, or know people who have visited sites they’re not supposed to at work. This is a simple and seemingly innocent form of disobedience. However, it can lead to more dangerous action, or even worse compromise the system entirely. So this begs the question, how do we stop employees from fighting the things that protect them and your company?
Don’t take away all their rights
Alright, I know what you’re thinking, “You just said go hard on security, and now you’re taking it easy?”. However, not taking away all of your employee’s rights just might save you some aggravation and give you added security. The key here is to think about the things that are not critical and would make your employees happy. Maybe, instead of barring them from all social media, educate them on the information they shouldn’t be posting for the world to see, and make rules of when they can use social media.
Avoid the group mindset threat
Once a person is ready to disobey your security policies, all of the employees are ready to head down a dark path. If one will take action against policy, another might be more likely to do so also. This will continue to happen until all of a sudden those who are following your security policies don’t fit in. This process of disregard can also be accelerated by two things. The first is the safety provided by numbers. If everyone is doing it, they’re less likely to get in trouble. Second, once a majority is disobeying, the other group will feel left out and therefore obligated to join the other side. Avoid the group mindset threat at all cost; it’s a highway to compromise in the security of your business.
Reward good behavior
How do we combat retaliation without combating retaliation? Reward good behavior. Whether this behavior is reporting action that could hurt security or simply taking correct action, rewarding will reinforce good behavior. This can be as simple as recognition, or even, depending on how complicated you might get, a competition system with prizes for employees.
Don’t be afraid to crack down
On the contrary, we can combat retaliation. You don’t have to torture your employees, though. Take into account your policies and the action taken that could’ve harmed the company. Then base your punishment on something as little as an email chastising the employee, or a penalty denying privileges. Remember, don’t be afraid to crack down on disobedience, it leads down a dark path and can be devastating to your company.
Ensure that your employees are aware of the information at stake and the damage that can be caused. If they don’t know that a seemingly simple social media post can lead to a deadly spear phishing attack, how can you expect them follow policy. Likewise, they need to understand that your company and its information is valuable. If not, they won’t understand why it’s important to follow policy.
Realistic and clear policy
Finally, putting all the pieces together, you need to have a realistic and clear security in place for everyone to follow. This policy has to keep the employee in mind(not taking away all their privileges) and show the employees what to do and why(awareness). Once employees are willing to follow a secure system , you have a security juggernaut. Do not forget the human side of security, it can make or break your efforts.