By now I’m sure you’ve heard that when it comes to information security, employees are the weakest link. Organizations often emphasize that despite any security measures they put in place to protect their infrastructure, all it takes is one employee who is not following the rules to undo all of that. An article on TechRepubic looks at a theory by security researcher Dr. Kelly Caine, which questions the conventional belief that employees are information security’s weakest link.
Although most agree with the logic that users are the weakest link in causing a data breach, Clemson University’s Dr. Kelly Caine recently made a contradictory claim at the Infosecurity North America conference in Boston. At the conference, Dr. Caine shifted the focus away from employees by putting the spotlight on IT professionals up the chain.
It’s actually executives, managers, system administrators, designers, and coders–rather than users–that are the weak links in information security.” – Dr. Caine
To enhance her argument, Dr. Caine uses her experience obtained through her role as director of the Humans and Technology Lab at Clemson University. Dr. Caine, who leads research in a number of fields surrounding human-computer interactions explains that one lesson learned through her research is that usability is an absolute necessity rather than a luxury or afterthought.
While systems are often designed with security in mind, they are not always easy to use. Unfortunately, when systems are difficult to use, employees will often find an easier way to get their job done, which many times means violating company policies.
For example, if sending a secure email is difficult to do, there is a good possibility that an employee with still send that email, however do so in a way that is not secure. It is important that IT professionals and management ensure usability for all systems to prevent employees from looking for shortcuts that could potentially comprise the organization’s security.
Dr. Caine also emphasizes the importance of looking at cybersecurity from the end user’s point of view. She finds that anything a leader higher up says or does will ultimately have an impact on the education/training of those users.
Every interaction trains users to behave securely or insecurely. There is no middle ground.”
For example, suppose an organization trains their employees on the importance of not opening email attachments, which could potentially be phishing emails. Considering the growing threat of ransomware, ensuring employees understand the risks that come with opening an email attachment is essential.
Now suppose that same organization regularly communicates with their employees using emails that contain attachments. Despite the fact that employees are trained on the risks associated with opening email attachments, if their employer is consistently communicating using the very methods they are training against, employees will view that as an acceptable way to communicate.
While poorly trained employees are known to be a leading cause of data breaches, Caine argues that leader’s higher up are equally responsible for data breaches.
According to Caine, they’re just as much the effect of leaders higher up who’ve failed to institute a security culture that takes into account the needs and habits of employees.”
What can management and IT leaders do to help improve cybersecurity?
- Learn about your employees. Understand what areas they’re struggling to improve on when it comes to their security habits.
- Be cautious about outdated advice. Ensure you’re staying up to date with the latest password recommendations and security information.
- Simplify processes for your employees. If an employee finds something like understanding a privacy statement or the process of authenticating a new device too confusing, chances are they will find quicker less secure ways around those procedures.