How To Combat Your Security’s Weakest Link
As a security professional, organization leader, or the person responsible for organization security outcomes, you know that end users are the weakest link. Unfortunately, they are always the biggest link too in that they represent the public contact cloud where hackers are working every millisecond to penetrate your organization. Which leads to the questions, if you have to have end users, how do you prepare for the next scary security event? During my time leading organizations and IT, I have collected and implemented a few guidelines to improve end user behavior and prepare for the next scary day. These are not hard and fast rules and they cannot decrease your risk to zero. Nothing can.
However, they may just make your organization too annoying for hackers to keep trying, so they move on to the next organization. Each of the guidelines below creates a nudge or push toward better behaviors for end users and security teams:
1 – Train them, train them all.
Train your end users on how to set appropriate passwords, what a phishing email looks like, when to call the security team, and help them learn that they could lose thousands of dollars by ignoring the rules.
2 – Test them.
Test them on a regular and random basis, not as a way to check the box for an auditor, but as a way to help them learn about the ever-evolving hackers’ trick or treat bag so that they can act based on knowledge not on fear.
3 – Reward them.
Reward good behavior by doing simple things like announcing the first person to report this week’s phishing test or the top ten scores on the quarterly security review as a way of encouraging everyone to pay attention to those events.
4 – Establish rules.
Build rules to support, identify, and redirect end users when they do not practice good behavior so that they learn and cooperate rather than feeling punished.
5 – Plan.
Build your plan for the next scary day when all of the preventions fail. Hopefully, you never use the plan, but it is orders of magnitude better to have one when the time comes. You do not want to build a boat while you are sinking.
6 – Expect the unexpected.
Leave a what if we did not plan for this part in your plan. No plan can cover 100% of the what if. This is also where your plan should include the external security team that you already have under contract so they can engage right now.
Your efforts as a security leader directly influence the outcomes of the next threat your organization will ultimately suffer. Be prepared.
Dr. Mike Lewis serves as Chief Information Officer, EVP of Informatics, Security & Technology for Trillium Health Resources, a managed-care organization serving more than 350,000 members in North Carolina. He earned his Doctor of Management degree from George Fox University and is a former MBA adjunct professor at Maryhurst University. Mike has worked in the IT field for more than 25 years with stints at IBM, Merisel, and Dell.
<< Back to Resources