There is no doubt that security is necessary, but why is it so unpleasant to follow a security policy? Reminding yourself to stick to the rules feels like your partner telling you to eat your salad. You know they are right, but anticipating that bland taste and mindless chewing that awaits you simply puts you off. You decide to put it off, so much so that you never get to it.
Cakes, on the other hand, are yummy and require no effort whatsoever to indulge in. Nobody needs to force us to eat cake.
In our day-to-day lives we prefer to do ‘cake’ tasks without giving it a second’s thought. Things like storing confidential files on Dropbox or emailing them to our personal accounts – you know, taking a little bite here and there. “It’s only for today; no biggie.” This one-time thing is so harmless, it’s like a comfort snack. We might later feel guilty that we bypassed a few ‘salad’ controls. Maybe we used our personal USB drive instead of a company-issued encrypted one, but, at the end of the day, who cares? Who will notice? As long as there is no dramatic impact on our health, a bite here or a bite there won’t cause any harm.
And one day we realise that it’s not all rosy.
The result of our laziness or lack of willpower eventually rears its ugly head when the doctor makes us stand on the scales and has a look at our blood pressure. So, to add to your partner’s words of wisdom is the doctor’s warning of an unhealthy present and a bleak future; something that would sound very similar during the company’s security audit.
“You have to eat more salad and lay off the cakes!”
To make matters worse, even with our best intentions to have the salad at the office cafeteria, we discover that the one available is practically inedible. Pretty much like finding that the company’s secure shared drive doesn’t have the necessary space to store our files, or that the encrypted pen drive is not compatible with the client’s Mac.
What can security professionals do to help us, the employees, maintain our ‘security diet’?
They could aim to make security more like a cake: effortless, even attractive, but still as healthy as a salad. Sound simple? Perhaps not, but they should invest in usability studies to make sure that the secure solution is the easiest to use. It might involve discovering an entirely new culinary art on how to make a cake-flavoured salad. But if they fail to realise just how unpalatable the salads are to begin with, we should let them know. Security professionals need employees’ support.
Organisations are like families: everyone has to stay healthy, otherwise when a single member gets sick, the whole family is at risk of getting sick as well, whether it be catching an infectious disease or adopting an unhealthy lifestyle. It’s like having the slimmest, fittest family member refrain from adding biscuits to the grocery list in order not to tempt the couch potatoes. It’s a team effort. In order for a company to stay healthy, everyone has to keep a healthy lifestyle of eating salad regularly, even when it is not that pleasant.
The whole company needs to know that security is important for achieving its goals – not as something that gets in the way – just as we should all know that having a healthy diet of greens will guarantee a sound body. Employees contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also guarantees that the resources are available for employees to complete their primary tasks.
We need to realise that we contribute to security, and that we can inflict serious damage on a company when we don’t comply with security policies, no matter how insignificant or harmless they may seem. As employees, we are individually responsible for the organisation’s exposure to security risks just as we are responsible for exposing ourselves to illness. Our behaviour and daily regime significantly shape our quality of life, and our practices shape the quality of our business.
The health of the company is everyone’s business. Let’s all eat our salad while helping the security specialists come up with better tasting ones.
Leron Zinatullin is author of The Psychology of Information Security, which discusses how to improve an organisation’s security culture.
You can follow Leron on Twitter @le_rond.