IT security education: ‘Abandon hope’
The second decision we made was to completely and entirely give up on humans. We had hoped that our IT security education programs — training, frequent reminders, case studies, tools like data loss prevention (DLP) and begging — would stop the people in our company from doing things like clicking on a blatant phishing link, emailing a sensitive data file to a customer or installing a thumb drive they found in the parking lot.
It turns out that my optimism about humans vis-à-vis IT security is badly misplaced. Indeed, I have lost hope in humanity, or at least in the efficacy of IT security education drills. When it comes to knowing and doing the right thing to prevent security breaches, the odds are stacked against us. The math is compelling. Suppose, for simplicity sake, there are 1,000 people in the company. What are the odds that one among us thousand-strong will not get suckered into doing something we should not? And, remember, all it takes is one.
So, how does my utter lack of faith in the human capacity to obtain an IT security education actually pan out day-to-day? We now treat everyone with suspicion. We assume that everyone is a bad actor and so lock down their access. We tease them with phishing attempts that we generate (just to see who will click that link). We don’t let them use USB ports. We determine which external services and applications they can access. We treat them for what they are — terrible persons who, if given the chance, will do something to put themselves and the company at risk.
All right, perhaps I am exaggerating my attitude, but I have learned through sad experience that people will make potentially life-altering mistakes — not because they have bad intentions but simply because they are human. And since we are all human, no one is immune from being the one who makes the life-altering mistake, including the mistake that ends up putting a company at risk. Even I worry about getting caught when we send out an internally generated phishing attempt. Why? I am the last person who should be sent to the remediation training — I am supposed to know what I am doing, and yet. …
About the author:
Niel Nickolaisen is a veteran IT leader, currently serving as the CTO at O.C. Tanner Co. He is a frequent writer and speaker on transforming IT and on IT leadership.