End-users have a rough time when it comes to cybersecurity. Described as “the weakest link” in an organization’s security, end-users are often blamed for dire organizational consequences resulting from their credentials becoming compromised, or from their device becoming infected. Yet, where do policy and direction of leadership end, and actions of end-users begin? What is a reasonable role for your average employee in securing your organization? In this post, as part of our “Security Takes a Village” theme, we explore reasonable expectations for end-users, and what management can do to encourage and enable compliance. We posit that the role of the end-user is highly dependent upon the processes available to them, and how well such processes are communicated.
What should we expect of end-users?
There are certain ‘basics’ that are easy for non-technical employees to understand, adhere to, and provide feedback upon if there is a problem. These are:
- Having a password that is in keeping with a policy
- Not sharing credentials or access to systems
- Using devices that work is done upon reasonably
- Communicating which external systems, software, or partners are used
These are easily turned into policy, communicated and enforced, if you have a person responsible for them.
Beyond such preventative measures, awareness is required for users to react appropriately to some threats, like malicious websites, phishing emails, or attempts at social engineering that they encounter. This is traditionally dealt with by conducting awareness training, and assessed by doing tests. Tests can be of the traditional “school exam” style quizzes, though increasingly organizations are auditing their users by sending benign phishing emails and reporting on the proportion of users who report, ignore, or are duped by them. So, another key role for your staff in securing your business is reporting when suspicious emails or social engineering attempts occur.
Ultimately, the participation of your users in securing your organization (through adhering to policies, reporting suspicious activities, etc.) is influenced by your work culture. See our post on how to achieve a security-conscious work culture. Leadership needs to clearly communicate that participation is imperative for the business. Some things to highlight (that should be reflected in your policies and practices) are:
- Feedback will be acknowledged and acted upon
- Participation will be reported and rewarded
- Non-compliance puts us all at risk, and there will be consequences
- Leaders are subject to the same checks and standards (i.e., walk the talk)
Make it Easy
By systematizing and automating the rules, they start to become ingrained. Similarly, by continually improving through feedback, and communicating it, users see the impact of their participation and can even become eager to help. The times where you’ll encounter resistance are when users are prevented from doing their jobs as a result of misplaced policies, or exceptions not being handled well. By making it easy to report such occurrences, you’re more likely to be aware of it – of course, there’s still the issue of managing it.
In sum, users can help secure your organization by adhering to the policies laid out, maintaining an awareness of both the importance of security and the red flags to watch for, by vocally reporting suspicious activities, communicating the external systems/parties they interact with, and providing feedback when there are barriers or risks that are unaddressed. Leaders need to enable and encourage their users to do so.
ActZero MDR can help, by detecting and responding to threats that impact your end-users. We also conduct penetration testing to determine how easily threats can get through your prevention technologies to reach those end-users. Our monthly report provides you with hygiene scores for specific devices, with prescriptive action to improve it – so you know exactly which users are in violation of your password policy, or have disabled their anti-virus, or which devices haven’t been patched; and, what to do about it. Finally, our Virtual CISOs can advise you on the creation, reporting, and enforcement of policies that will help harden your security, reach regulatory compliance, and achieve a security-conscious work culture.