Some enterprise security tactics can backfire, pitting IT and security teams against the employees they’re trying to protect.
When it comes to staying safe and secure in our digital worlds, sometimes it can feel like giving up is the only choice. This idea of “security nihilism” isn’t new. Security teams have always faced incredibly challenging problems while trying to enable safe and trustworthy experiences across all the technology we use. It can be a difficult trap to overcome for security practitioners, but it’s even more dangerous when employees start to feel it. Security nihilism creates new and worsens existing problems that put a company’s data — and the employees who are stewards of that data — at risk.
Unfortunately, security and IT teams can inadvertently cause a sense of security nihilism. Some enterprise security tactics, while well-intentioned, can end up pitting IT and security teams against the employees they’re trying to protect. Strategies that rely on scare tactics, shame employees for making mistakes, or overwhelm employees with information can lead to frustration and a lack of engagement. Worse, they can cause people to just give up. If breaches seem to be inevitable and getting security right is so difficult and burdensome for employees, why bother?
Security teams must take accountability for keeping employees engaged. It’s time to shift the message to empower employees and create a culture where everyone is on the same side. Here are three steps toward that goal.
- End “Gotcha”-Style Tactics That Shame Employee Mistakes
Blaming or shaming employees who make mistakes is counterproductive and can lead to security nihilism. Employees can get discouraged and give up, or they won’t tell security teams when they receive a phishing email or click on a malicious link. Employees are not part of the problem; they’re part of the solution. Security teams can’t respond to a threat or a breach if they don’t know about it, which means employees are important allies in safeguarding company data.
“Gotcha”-style phishing tests are a good example of this problem. One such test involves emailing all of a company’s employees with information about a holiday bonus. The people who click the link are “punished” with more cybersecurity training. Read more:https://bit.ly/3jqy3Ri