It’s safe to say that users are normally the weak link in the cyber security chain. Nevertheless, a resilient security strategy demands that organizations look at solutions from a people-first perspective rather than rely solely on technology-based strategies.
Of course, many executives tend to look at IT risk and security as a technical problem. But that assumption gives way to the reality that security is a people problem as long as human users are involved. It all comes down to users making choices they shouldn’t make, whether it’s clicking on the wrong link, visiting a risky website, or making other decisions that expose systems and data to unnecessary risk.
It’s also something that attackers understand, which is why so many tend to focus on users instead of other vectors. The average user’s propensity to click blindly makes it much easier for attackers to fully exploit those targets.
With so much effort placed on reducing these risks, including extensive training and education given to users, seeing these very same users make the same security mistakes over and over seems mind-boggling. One possible explanation is that users do not feel heavily invested in cyber security.
In contrast to the IT environment, people in the real world are often asked to take responsibility for their own personal security. It should be possible to have users display the same level of awareness when it comes to their virtual security. For example, users should pause and ask themselves if they’re a part of a team where a careless or negligent action could bring harm to critical assets and data.
Technology-oriented security strategies have often proven difficult to manage, and security teams would rather not take on the “bad cop” role when it comes to mitigating risk. Shifting to a people-centric security model could help change this reality, allowing people, rather than technology, to be at the forefront of the security strategy. This move offers users greater latitude when it comes to the devices they use daily, but at the same time instills a sense of responsibility to individual users and teams.
Fundamental principles and core standards should be part and parcel with any security strategy, especially those designed specifically with the human element in mind. Executives at the CIO or CSO level should also allow business units and teams to carefully tailor their security strategies to meet unique needs. For instance, teams that regularly deal with sensitive or confidential data may have unique regulatory or compliance issues that other teams may not experience. These issues often require more careful thought about what should be allowed and what should be prohibited.
In the end, governance and guidance are both essential. Executives must use the tools at their disposal, from regular meetings with teams and individual users to resources from HR and Legal departments, to enforce the minimum requirements that teams must meet.
Letting individual business units examine their security needs and choose tools that offer the best fit can help foster trust and collaboration with IT security. However, it may take time for some organizations to build that level of trust and without it, it may prove impossible to effectively monitor and educate those who happen to fall out of compliance.
Contact us today and learn how eXemplify can improve your organization’s security.