We’ve dedicated a lot of ink to the call for end-user accountability in enterprise data security—from top executives to the rank-and-file. Compliance is the biggest wildcard in the InfoSec world. But as Code42 gears up for Help Desk International 2016, we’re turning the focus on ourselves. How can we, as IT and InfoSec professionals, change end-user perceptions, prejudices and resistance to security policy to mitigate insider threat?
We talked with Code42 Help Desk guru, Alex McGruder, to get some great insights on how IT can make friends in the enterprise landscape, get on the good side of our users and encourage compliance.
Admit we’re part of the problem—change the “us vs. them” narrative
“The stereotype of the snooty, condescending IT guy is a big problem,” said Code42 Help Desk guru, Alex McGruder. The annoyed IT worker has been lampooned in pop culture for nearly two decades. It’s pretty clear how we got here. As IT professionals, we know that end users are our biggest security threat. They make honest mistakes, lazy mistakes, arrogant mistakes. And we know that IT policy doesn’t weigh heavily on their minds. But we’re not completely without fault. We sometimes let our frustrations get the best of us—from annoyed or condescending tones to outright scolding. But it’s time we change this “us vs. them” narrative. This adversarial relationship isn’t doing us any favors with end-user compliance.
Start at the top: get executive buy-in by translating data security into business-speak
Your executives define your culture. They need to be frequent and vocal advocates of data security and compliance. Get the buy-in and support of the corner office by translating data integrity into business-speak. Strong data security ensures business continuity, reliable compliance enables the many benefits of anytime-anywhere productivity, and data visibility helps mitigate the very real, very high cost of breaches. These are tangible competitive advantages that can convince your executives to make compliance a core corporate value.
Get inside your users’ heads—and develop policies accordingly
InfoSec policy is a hassle, they’ll work around it—and then what good is it? If your end goal is data security, start from an end-user perspective. That means working to understand the “why” of how your users work and why they seek policy work-arounds. Tech leader Dave Payne said it well in a recent blog post: “The question becomes not, ‘Why don’t employees save files on the file server like I told them to?’ but, ‘What technology will make file backup automatic and inconspicuous so employees don’t have to worry about it?’”
Speak your users’ language: convenience and productivity
Your users’ chief concerns are convenience and productivity, so speak in their language. They know that security measures invariably add friction to their workflows, but nothing is as inconvenient and productivity crushing as getting a virus or losing all their data. McGruder summed it up nicely: “It’s like a suit of armor. You don’t say, ‘This will make you faster and stronger.’ You say, ‘You’ll be in big trouble if you get your arm (or head) chopped off.’”
Service with a smile: sounds trite—makes a big difference
The Help Desk’s specialty is to keep users running smoothly—so they can focus on their specialty. “We shouldn’t seem annoyed by Help Desk calls,” said McGruder, “and they shouldn’t feel hesitant or embarrassed to call.” As trite as it may sound, McGruder’s background in customer service has shown him that “service with a smile” can make a big difference in how your customers respond to your assistance and requests. “If we can fight the stigma of snooty, condescending IT support staff, our users will be more trusting, more open to our policies, and more likely to come to us early with concerns,” said McGruder.
Communicate trust—build a relationship BEFORE things go wrong
As InfoSec professionals, we have to assume our users will continue making mistakes. But that doesn’t mean they’re idiots—no one wants to get hacked. “Start seeing [your users] as people striving to meet their business goals, not end users who must be admonished for their own good,” said Payne. We should strive to come from a place of trust, and communicate this trust to our users, to break down barriers—defiance, defensiveness, fear and embarrassment. Users should feel you appreciate their good intentions—that you recognize they’re dedicated employees just trying to maximize productivity. They should also know that cybercriminals are really good at fooling people (they even fool IT experts!)—so end users don’t look at security policy as babysitting.
Show them that IT doesn’t always say “no”
IT has a bad track record of raining on employees’ parade. Blocking websites. Banning applications. Plugging up a convenient shortcut. But that’s rapidly changing. BYOD is becoming commonplace, and we know we can’t defeat shadow IT. Make it clear to your users that your default answer is no longer, “no.” “I want our users to come to me with a new app they found. I’m probably not going to say they can’t use it—I just want to know they’re using it, and help them use it safely,” said McGruder.
Make data security an ongoing conversation
Data security can’t be a one-time training. It needs to be an ongoing dialogue throughout your organization—one that fits naturally with the everyday operations of your users. Every new application rollout or software update is an opportunity to discuss safe-use policies and best practices. Every new hack that makes headlines should generate an organic discussion: how a hacker fooled a user, how a user ignored policy and let the threat in, how your InfoSec policy is designed specifically to keep your users from becoming the next hack headline.
Take advantage of your front-line “eyes on the ground” to drive breach remediation—and mitigate impact
Even in the most compliant enterprise, breach is the new reality. But building a trusted relationship with your users can provide a powerful asset in breach remediation. Your users are likely to be the first to notice something amiss—a suspicious link, missing files, or anything out of the ordinary. “I want my users to feel comfortable coming to me and saying, ‘Hey, I got this weird email,’ or even, ‘Hey, I downloaded this attachment and I think it was malware.’” said McGruder. We know that every breached record adds real cost. So if we’re going to catch breaches sooner and successfully mitigate the impact, we need to start making the most of our front-line troops.
Turning the data security boxing match into a team effort
Each of these steps has powerful potential, but let’s not kid ourselves—users are never going to be 100-percent compliant. But if we’re serious about fighting the growing risk posed by insider threats, we should start by looking in the mirror and searching for ways we can change our approach, our behavior, and our communication style in order to gain the trust of our end users. It’s the “good cop” side of the equation, and it’s critical for changing enterprise data security from a perpetual boxing match with your users into a team effort.