Nobody Is Really Against Security

Anyone can relate to an e-mail they got, that seemed a bit suspicious. Or to seeing a Facebook campaign that seemed too good to be true. Security is not something special that matters only for a few people. According to a recent online survey of American adults, 39% said they would sacrifice sex for one year if it meant they never had to worry about being hacked.

A general risk analysis would usually put people “up there”, in terms of damage potential and probability for incidents.

Both as individuals and organisations we want to stay secure, and in general we’re all facing the same threats. Still, people take risky actions which lead to a growing trend of data breaches, resulting in financial loss, hassle and pain.

The most common security incidents involve a human error at some point, and this is nothing new. It is unfortunately far too easy to blame people for those incidents, since doing that won’t really help. People will only blame you back for not helping!

All of this when no-one would say they are really against security.

But sometimes, there is just too much friction around for people to do the right thing. While people only try to do their job, security gets in the way. Users become frustrated and feel forced into risky actions, or fear leads them to make mistakes. Bad user experiences with enterprise IT and security can further lead to negative emotions among users. Those bad emotions provide a poor climate for learning, and effectively keep people away from turning those risky behaviours into secure practices.

People will not change their behaviours unless they are actually receptive to our awareness and training efforts in the first place.

While people can be easily blamed for incidents, we should see the potential of going down a completely different path. Consider the fact that security is something anyone can relate to, and something that everyone wants. If we are instead able to establish a positive dialogue with our colleagues, we can learn valuable things on how they actually work and how things work in practice for them.

Would you dare asking people if they knowingly break any security rules?

Do you believe they will trust you with their honest responses? A dialogue is by nature a two-way thing. But all too often, security communication goes in only one direction. Are you able to see the value in having a balanced conversation with people like this?

By doing that, we may actually realise that sometimes what needs to be changed, are in fact our systems and/or policies — and not necessarily our people.

Although security experts usually consider risk in negative terms, we should start seeing some positive risks as well. These positive risks are also called opportunities, and we find them in the midst of our biggest challenges.

This blog is therefore about the opportunities of supporting people. Both by using technology that helps us to do the right thing, and by establishing secure practices that anyone can agree with.

The goal is to remove friction between people and technology, in order to reduce friction between people and security.

Because people are your organisation’s greatest assets after all.


PS: If you are looking for actionable advice to avoid common human errors in cyber security, my company Secure Practice can help. Drop us a line at [email protected] and we’ll get in touch!