Charlie Platt, Director of Data Analytics for iDiscovery Solutions and Certified Ethical Hacker, says the words we use can shape our way of thinking and how we interact with others. When it comes to cybersecurity, the best way to protect your organization is to stop treating employees as "risks" that need mitigating and start treating them as partners in cyber defense.
I hear this bit of conventional wisdom quite a bit: “Employees are the ‘weakest link’ in the cyber defense chain.” I understand why we say it. Heck, I’ve been guilty of saying it myself.
And the facts seem to back it up. According to the Ponemon Institute’s 2017 Cost of Cybercrime report, “Sixty-nine percent of companies experienced phishing and social engineering” attacks in 2017, down just one percent from 2016.
Phishing, social engineering, and insider attacks cost U.S. companies each an average of $2.7 million, exceeding the cost of malware ($2.4 million) and denial of service ($1.6 million). Given the prevalence and the cost of attacks that center around employees, it’s understandable why we feel that our employees are the weak link.
Why Words Matter
Unfortunately, when we allow ourselves to adopt this mindset, where employees are “risks” that need to be “mitigated,” we create an adversarial relationship between ourselves and our community while simultaneously dismissing one of the best chances we have to defend ourselves.
It could be said that I am just arguing semantics, that we’re really saying the same thing, and I’m just using different words. I’ll admit it, there is some truth to it’s just words, but I believe words matter. They matter because words set the stage for our frame of mind and how we interact with the world. Not only that, but they broadcast to the world what and how we think.
The words we use project our attitude, and that attitude can energize and motivate, or it can alienate and demoralize. Take a hypothetical employee – Joe from accounting. He’s a model employee: earnest, honest, and hard working. He’s a great accountant, but he’s not all that great with technology, which is fine, because it’s not his job to be great with technology.
Joe’s a prime target for phishing and business email compromise. We can approach Joe as a risk that needs to be mitigated, which sounds reasonable and appropriate. But if our mindset is that Joe himself is the problem, our verbal and non-verbal communication with him and his colleagues will convey that.
We’ll end up losing Joe’s heart and likely the hearts of his coworkers. The community will develop a bad taste for the security team and go away thinking that we are condescending, overly impressed with our own importance, and that we see everyone else as “the problem.”
Approach Employees As Partners
But what if instead of approaching Joe as a problem, we approach him and his colleagues as partners. This not only allows us to mitigate the immediate risk, which is real, but also gives us the opportunity to create a force multiplier. Approaching our employees as our best chance for creating a secure environment forces a change to the entire organization’s security landscape.
On some level everyone becomes a member of the security team. Everyone asks questions and is aware of risk. Suspicious emails are assumed to be malicious rather than innocent, computers are locked when employees leave their desks, and badges are swiped when entering secure areas.
One of the best security questions I’ve ever been asked was by the Chief of Police for Fairfax County, Virginia. He asked our graduate cohort, “Who keeps law and order in Fairfax County?” Now imagine a room full of cyber and policy geeks responding to this question. The conversation was dynamic and enthusiastic, and our responses were all over the map.
When no one provided an adequate answer, he told us, “You do. Every one of you when you get up in the morning and participate in our community. I’m here for the exceptions; you are responsible for everyday law and order.”
He was telling us that each one of us was a member of his security team. That we are all responsible for the security of our environment. That by locking our homes and cars, we participate in securing the community. By being alert and recognizing danger before it strikes, we participate in securing our community.
A Mindset Change Is Needed
I believe the same is true in cyber. We can’t do it alone; we need the entire community that we serve to be awake and alert. In the physical world we’ve honed these skills over decades (or more) of life. In the cyber world many of us haven’t learned or been taught these skills. It’s up to us security and cyber experts to help our co-workers build and develop these skills.
Because at the end of the day, treating employees like problems undermines the culture that we are trying to foster. Employees are not our weakest link; they represent our best chance for a secure future. If we are asking them to change their mindset to incorporate cybersecurity, it’s only fair that we be willing to reciprocate. We need to change our mindset to see them as partners and defenders, not as problems and risks.
This article was originally published on The iDS Blog.
Published July 11, 2019.
