Sunday, April 10, 2022

Using The Tactics Of Security Nihilism Will Not Work - 3 Reasons Why

 


Just yesterday, I wrote an article for a client on what is known as “Compliance as a Culture”.  Essentially, this is a concept where you want all of the employees in your company to be compliant not only with your Security Policies, but also maintain strong levels of Cyber Hygiene that are possible. 

Remember, we all have (or for at least most of us) have heard of the word “Compliance” being used so much as it relates to abiding by the CCPA and the GDPR.

But as I just mentioned, there is so much more to that.  When it comes to abiding by the data privacy laws, the fear tactic has always worked.  For example, as a business owner, I am sure that you would never want to get audited, or worst yet, face all of those stiff fines and penalties.  But using this kind of method can only work so far, especially when it comes to your employees.

The technical term for this is also known as “Security Nihilism”.  Even to this day, trying to scare employees in training programs is a technique that is quite often used in order to make sure that they come clean with all of your Security Policies. 

But in the end, rather than fostering that so called “Culture of Compliance”, you will literally not only create a wall between your IT Security Team and your employees, but you will even have an atmosphere and hatred.

One never wants this, as this will only lead to a huge decrease in productivity levels for your company.  So, what can be done about this? Obviously, you need to come up with ways in order to treat your employees differently.  Probably the best way is to approach them in a very non hostile manner, like treating them as a close friend.  Here are some tips you can implement:

1)     Employees are not the weakest link in your chain:

I get so irritated when people say this.  Yes, employees can and will mistakes, but it is not to mean that they did it intentionally.  Remember that as a business owner, you are far from being perfect either.  Remember your IT Security team can go only so far.  They need a lot of extra eyes and ears as well, and this is where your employees will come into play, even all the way down to your overnight custodial staff.  In this regard, a lot of business owners like to maintain that “gotcha” style of training.  In other words, if a simulated Phishing is launched, those that fall and prey are then taken aside and chastised.  What is the point to this?  As mentioned earlier, you are simply only going to foster a feeling of hate and reprisal with those employees that fell bait.  Instead, take that employee aside, and explain to them what happened.  In fact, don’t even mention the fact that he or she did something wrong. Rather, after pointing the flaws that just occurred, tell them what solutions can be used to rectify the problem.  Taking this approach will not only create a friendly environment, but you will probably even have a more loyal employee to you in the end.

2)     Rewards always help:

From time to time, in order to make sure that your employees are trying to maintain the best possible levels of Cyber Hygiene, rewards can also be a great thing.  For example, perhaps once a month or every two, you should hold a contest as to who is not only maintaining those good levels, but you should also take the opposite as well: providing rewards to those employees that have reported security breaches that were actually looming in on the horizon.  Remember, giving out rewards does not have to be a budget breaker.  Even small items, such as gift cards, a free gym membership, or even a lunch or dinner out can go a long way for the human morale.

3)     Improve your Security Awareness Training programs:

In Corporate America, the thinking is that this is one a done deal, and that you should cram in as much info as you can. But in all honesty, this is probably the very worst approach that you can take.  You need to keep your employees sharp when it comes to spotting security vulnerabilities and gaps, and one of the only best ways to do this is by having regular Security Training Awareness programs. As a rule of thumb, this should probably be done at least once a quarter.  Now, the next point is that your training programs should be longer than 30 minutes, at max it should be 45 minutes.  That is about the average attention span of a human being.  Anything longer than that will simply lead to information overload.  Also, stay away from the boring lecture style format.  You want to make your training programs engaging so that your employees will come with something at the end, and actually apply it. So make the training fund and competitive, and even give rewards here as well.  One of the best ways that you can take this kind of approach is to utilize the concepts of what is known as “Gamification”.  The bottom line here is that never make use of the “Fear, Uncertainty, and Doubt (FUD)” approach.

My Thoughts On This:

Right now, we all are under a lot of stress and pressure, especially with the new variants of COVID-19 coming out, and the situation happening in the Ukraine. One of the very last things you want to do is add further pressure to your employees by using fear tactics to make them straight about Cyber Hygiene. I am strong believer of Karma, and what goes around comes around.

Taking the fear approach is only going to come back to haunt you, and perhaps even cause your business to implode.  Treat your employees like how you would want to be treated:  Respect and friendliness.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...