In our experience working with hundreds of businesses both large and small – most of the issues around security of IT systems come down to user behaviour. When you look at the reports on data breaches from the OIAC – the results reflect the same findings.
So how do you empower end users in an organisation to follow the behaviour you need them to? At the end of the day, there are some simple ways you can empower the organisation to adopt the right types of practices.
It all comes down to communication
IT teams tend to be some of the worst communicators in any business. They are stuck in a technical world and use a language that might as well be esperanto to most business users. Some of it seems familiar but often people will nod and agree yet not understand a word. IT teams also need to exhibit a degree of empathy with users in an organisation. Just because you understand the complexity of technology – does not mean that they do.
Security user behaviour – Think before you click
Everyone uses technology outside of the office now – we all have smart phones as well as use the internet for all sorts of reasons. Very few people do not.
What we have found successful with customers and companies – is relating the situation back to their personal circumstances – and the risks they are under personally. One of our customers also offered some education and assistance to get their employees personal accounts across email and social sorted with the right security. This made the users much more conscious of the impact of security in their work domain and as a result – there have been less issues.
How do we empower the end users?
There is no pride to be had in using special language – relate the problem in simple terms that users in an organisation can understand. The more you train and empower users – the less annoying problems you should have to deal with at a later point. It is that simple. If you need some assistance, you can talk to your marketing or HR team whose role it is overall to communicate within an organisation. Clear communication should address most of the problems.
Here are the top ten items we have come across during our time and our recommendations for bringing the users on side. Some of these will be obvious to you but they are all important to maintaining the integrity of your IT systems.
Change passwords regularly
We know this is simple. So then why do we keep seeing this in companies everywhere? The requirements for managing passwords for not only domain log-in but also all the apps and cloud apps should follow the same principle – they need to be changed regularly.
Help them protect their personal accounts / passphrases
If they are going to access their work account on their own device – make sure you instill the importance of security for their own / personal accounts. This will help them understand the importance of security and will translate across to the way they treat security at work. Consider a series of communications to end users or even a bring your problem to work day to help them get secure.
Think before you click
This one is simple. It is looks fishy, smells fishy – don’t click. Rather than just having posters or communications up talking about the next social event – some simple direct posters asking users to think before they click provides a subconscious reminder of the importance of security to your business.
Be open to end users asking questions about their personal accounts
We understand the potential pain involved here (and who of us isnt the IT helpdesk for our family). The more we help and empower the users in our organisation personally, the more they understand the issue of security – do not underestimate the importance of this.
Back up, back up, back up.
No matter what you do. No matter how secure your environment. Something could happen so having a protected and secure back-up is crucial to be able to return to a steady state in the event of ransomware.
No shared log-ins ever.
While your marketing team may think themselves clever for saving a few dollars a month of the number of users they have for the next shiny new object – we have seen instances of a common log-in used on many insecure third-party apps or systems. Educate the team on the importance and support the extra few licenses.
Mobile device screen locks
Most people have a mobile device which probably has their work account, or an account that they use for work through one app or another. Make sure that if their personal mobile devices are used in any way associated with their work function – it is secured as tightly as you secure work devices.
Keep patches up to date.
101 IT management. You are never too busy to forget or put off this one.
The more condescending or more pained your expression in dealing with the simple problems your users experience – the less likely they are to approach you with a potential problem. Believe us, this will pay off in the medium-term above and beyond as it can head off issues before they become issues.
And lastly, make sure you have a clear access control document that details how users access the environment, how to log-in, the rules for passwords (remove ambiguity) and when they are changed.
If you do want a simpler way to manage the variety of passwords for different systems as well as reducing complexity for your users – have a discussion with us about APPSPOINT Workspace – one single pane of glass to manage passwords for over 5000 apps. This will make it easier for end users as well as your IT team.
Especially as we head into the holiday period, consider aligning the timing of password changes to account for people being away. In our experience, adding it to the IT checklist before you go on leave leads to more people forgetting it by the time they come back.