How can business ensure security technologies are
aligned with work processes so that it is easy for end-users to do
the right thing and not circumvent controls?
The two most significant factors that lead to employees
circumventing security controls are lack of employee "buy in" to
the controls and the absence of a good fit with "business as
usual".
Both of these shortcomings can be mitigated by involving both
managers and staff in the implementation of security policies.
Standards such as ISO 27001 recommend that an Information Security
Steering Group (ISSG) be formed with representatives from
throughout the business. If the ISSG drives the security policies
and guides the implementation of controls, then business needs can
be taken into account when policies and controls are created.
Further, if staff awareness programmes include on-going discussion
of and justification for controls, then employees can understand
the importance of the controls and are much more likely to comply.
Involvement in both the underlying policy and the means of control
will result in staff committing to the policies (and hence
controls) since they feel they had a hand in designing them.
It is human nature to rebel against anything imposed by a higher
authority, especially if no clear reason is given or there appears
to be no benefit to the employee. This is worsened if the controls
seem to hinder business as usual. A classic example is a password
complexity rule, which appears to require the user to create a
complex password which they have no way to commit to memory. If the
complexity rule requires any three of upper case, lower case,
numeric and symbol characters, the result will be a password such
as "Password1". However, if staff are told why a password needs to
be difficult to guess, how criminals attack passwords, and how to
create a secure passphrase (rather than password) that is easy to
remember, such as "I want a red Ferrari", then compliance nearly
always follows.
Peter Wood is a member of the ISACA Conference Committee and
founder of First Base Technologies
Read more expert advice from the Computer Weekly Security Think
Tank >>