People are practical creatures. “Don’t fix it if it isn’t broken,” they say. And until they have first-hand experience of the damage a data breach can do, they will keep doing as they always have, following the workflow that’s easiest – not necessarily the one that’s the safest. You can try fear tactics, bringing up a breach in a high profile news story, but the prevalence of these stories hasn’t done anything to help workers become more vigilant. That alone shows you that people don’t always respond to other people’s problems. If you want your employees to really care about your security strategy, you need to make it personal and integrate it into your company’s culture and belief systems.
The Problem with Fear-Based Motivation
It’s true that fear-based motivation can work – for a time. But think about how you react when you hear about a danger in the news. You may change behaviors for a short time, but the alarm quickly fades as other concerns enter your sphere of attention. Then it’s a return to the status quo. If you’re looking to advance your security strategy, you need the status quo to rest at a higher level. You need to change mindsets and beliefs so that a return to normalcy means returning to an already high level of secure behavior.
Shared Stories Are Part of a Shared Culture
Workers tend to see security as a process that inhibits them. If you want it to be part of a belief system, it must empower them instead — and empowerment comes from inspiration. Take pride in your security measures. Share information about your successes and challenges. Part of that is sharing the security-related stories that go on within the organization, which makes security a personal matter for your workers.
For instance, at Cisco, a call center worker successfully evaded a phishing attack by telephone, refusing to give sensitive information to a caller claiming to be then-Senior Vice President, Rob Lloyd. The worker ended the call and reported the incident, and the news naturally made it to Lloyd. Lloyd shared the incident with members in a meeting and it became a story deeply embedded in the company culture. By sharing this security incident, Lloyd unintentionally made everyone in the organization more aware of the threat of intrusion.
It’s also important that your workers understand your company is serious about security rule violations. If you let an employee go for repeated security violations, tell the staff what happened. The story will become another shared history that binds your workers together. Stick to the facts only to avoid defamatory remarks, but make it clear that security is as important to your company as physical safety.
Security Is Everyone’s Job
Your security culture also needs to make it clear that security isn’t exclusively the job of IT or administrators. Security is everyone’s job. Let your staff know about the steps you take to keep data secure, their role in implementing those steps, and the methods you use to measure success. Congratulate them for the role they play in keeping your data secure.
This process also requires strong leadership, because changing mindsets starts at the top. If your CISO or CIO doesn’t display a passion for protecting your data, why should anyone under him or her do so? Use this passion, seeking out common threads in your current company culture that will help you support a culture of security. For instance, good customer service means keeping data secure. If caring for the customer is part of your company culture, you can tie security into the accomplishment of that ideal. Remember that cultural changes are not events, but rather ongoing processes that work towards a common goal.
Meeting Workers Where They Are
But just caring about security isn’t enough. Leaders need to meet admins and users where they are and speak to them in a language they understand. You won’t know what that language is unless you’ve spent time working alongside several different roles to observe security protocols that, roughly translated, mean “productivity roadblock” in their language.
Look at the way security affects workflows and ask your staff how it “should” or “could” be. This puts everyone on the same team, working together to find security solutions that work. Identify the problems faced in the trenches and adjust security policies to make the rules easier to follow without compromising their intent. Otherwise, workers will simply find ways around your latest “roadblocks” and deal with security problems only after an incident occurs.
Talking about incidents in the news still has a place in security. These stories are excellent reminders to workers about why we must remain vigilant – not as incentives to become vigilant. If you want long-term dedication to secure information, cautionary tales cannot be your main focus.
The Right Tools Make a Big Difference
Of course, if you can implement security so that it doesn’t harm workflow, you’re ahead of the game. HyTrust offers several tools that make the cloud secure without compromising productivity or efficiency:
HyTrust DataControl is a tool that can encrypt or re-key data, without taking applications offline. This means the workflow continues uninterrupted in private, hybrid or public cloud infrastructure as a service, while your data remains secure from unauthorized access.
And HyTrust’s CloudControl lets you add authentication, authorization, and auditing policies for administrators of virtual infrastructure. Within it, you’ll find tools like Boundary Controls, designed to help you automate security policies for the highly mobile workloads generated in cloud environments. Boundary Controls ensures that, even if an employee accidentally sends sensitive information outside the defined, trusted boundary, you can have policies in place that prevent the data from being decrypted. That keeps it safe even when an employee suffers a lapse in judgment, or an outsider spoofs their way in to access admin credentials.
CloudControl also lets you define the actions you’ll allow administrators to take. Instead of giving them free reign, you can limit authorizations based on roles and assets. It also allows you to track actions by administrators, including failed attempts to access information. This provides greater insight into the ways in which your data is being used and the ways in which your workers want to use data to complete their jobs.
Contact HyTrust today to find out more about how DataControl and CloudControl can help you create a more secure infrastructure by creating a stronger security that doesn’t hamper productivity.