How to Make People Take IT Security Seriously

False promises

It all started when high tech became cool. When it suddenly was possible to brag with one’s computer in “normal” social circles. Similar to the late seventies and early eighties, when showing a pair of Macintosh mono amplifiers, coupled with Nestorovic Labs New Yorker speaker boxes (that together cost as much as a Porsche), to one’s friends was the ultimate sign of extreme success in life and not something that would label someone as a weirdo.

It may be because, suddenly, sometime around the break of the century, nerds became rich, obscenely rich. At that point, high tech, the thing that made nerds so rich, became sexy. But there was a catch. To use high tech products, one needed education and the technical knowledge of a nerd, and to pull that off and still look and behave like a “normal” person, was impossible for a significant majority of the population. Then, there were some people who decided to offer the general public a promise, packed in a product. And a promise sounded like this: “You don’t have to be a nerd to use high tech products. You can be a normal person and still successfully use high tech products on a daily basis. Let US do everything for you. You just pay a premium price, improve your social status, and be happy for the rest of your life.”

This was when it all started. Because that was a false promise. Yes, one could spend a few hundred and improve one’s social status. Just taking out one’s smartphone from the pocket and placing it at the table in front of another was an excellent conversation starter. The individual did not even have to pay for the drink. But, as many can see today, that individual was not going to be happy for the rest of his or her life.

Because everybody was so focused on delivering more features to a high tech-hungry population that they were willfully blind to security issues. So, they decided to wipe it out of existence with marketing and PR. “Security, schmecurity. Don’t ask unpleasant questions. Share and enjoy.”

The harsh reality

So, there was a generation or two of people that grew up believing that they can handle high tech products without knowing how they work. Unfortunately, that is similar to handling a handgun without knowing how to engage the safety – somebody is eventually going to get hurt. Using high tech computing devices in everyday life without knowing anything about the security issues that come with them is like waving one’s hands around while holding a loaded gun (without the safety on). By doing this, one is not only lulled in a false sense of security but also spreading the dangerous belief that using personal computers and mobile phones is safe. One does not have to worry about making information safe. One does not have, in any way, to participate in the IT security of his/her/their companies. And, one can think that there are people and software that can protect everybody from any stupid thing they do.

Well, one is wrong.

There is an attitude towards IT security that millions of employees (and managers) in the world today, unfortunately, share. Intrinsic insecurity of IT technology today is that monster that is threatening our collective belief in the brave new high-tech world, to which most people so desperately cling to. And, people like to ignore it as much as they possibly can.

There was a small NGO that was giving free legal help to minorities. They were hacked, but, fortunately, their sensitive data weren’t stolen. A consultant was brought in to assess the situation, and part of the consultant’s job was to explain to the NGO’s employees and volunteers that some of their daily practices have to stop, as they are opening the door to intruders. Then, one of the employees, a lad in his twenties, stood up. He was angry about the idea that he had to change his routine. So, he asked a question: “How come, in the second decade of the 21st century, technology hasn’t reached the level that all of this can be 100% safe.”

No one can blame him. He grew up believing that this dream of his is possible. The only problem is that his dream can’t be further from the truth.

So, now some quarter of the workforce on the labor market have been drinking the pink kool-aid, and on the other side of the spectrum, there is a large group of older employees that have, just recently, got to terms with having a personal computer on their desktops. People that were using typewriters to type their student papers and analog copiers to make a second copy for themselves.

That makes up almost half of the workforce in the developed world today. All of these people have a problem with adopting basic practices concerning IT security. And, if any of these people live in large cities, not one of them would leave their apartment or house without locking the front door (and arming the home security system) if there is nobody left inside. That is basic common sense. And, if some of them are an office manager, and hold the keys to the office, they wouldn’t call the locksmith to tinker with their lock at home, so that their home can be unlocked with the same key they use for the office, just to have one less key on their keychain. That’s what is thought of as common sense, and everyone has been taught that from early childhood, mostly by just copying the behavior of parents and grownups around us since we were small children.

If it’s free, then it’s worthless

Therefore, re-education of the workforce has to start in companies, and it has to come from the top. First, the people that need to adopt these new common-sense practices are the managers; as, in this case, they need to lead by example, so that the rest of the employees can learn, not only by being trained in mandatory annual 1-hour training sessions but by watching their managers behaving responsibly.

And, the best way to sell some ideas to managers of companies is to sell it to them. If one goes around and gives them free advice, they will, unfortunately, treat that advice according to its actual, numerical value, which is zero. On the other side, if the cybersecurity community, especially those involved in education, go to them and sell the training sessions focused on management, they will give it the attention that it deserves. In the end, they have paid for it, so it has to be worth something.

Of course, it is not that simple in real life. Because the reason managers are so reluctant to the change towards a safer (in an IT sense) work environment lies in the fact that some of the insecure practices brought them significant savings in running businesses. Let’s talk about this scenario. A facilities manager in a large company is under pressure to reduce costs because facilities are not bringing money to the table, they are spending it. So, a decision is made to replace cubicles with touch-desks. So, now, 2-3 employees will share one desk. Those employees are now expected to spend two full working days per week, either in the field or working from home. They save up to 50% of the space being rented and reduce electricity and AC costs as well. The fact that this might be a security risk, from an IT perspective, because people are now accessing the corporate network from potentially unsecured networks, is not their problem. Nobody expects facility managers to take care of IT security; let the security people worry about that. So, IT security implements a policy requiring that one has to use a corporate VPN when working outside of the company buildings. But then, employees start complaining. Some of them have poor internet connections from home. Some of them are in the field, visiting customers, and they have to log the results of meetings to corporate CRM, between two visits, and sometimes the connection is bad, and the VPN won’t connect. So, they complain to their business managers, who then pressure IT to allow webmail usage to make their employees more productive and make their work easier. And this is a recipe for disaster.

Disaster is not such a bad thing

However, the recent COVID 19 epidemics are a blessing in disguise for IT security. Suddenly, rows and rows of cubicles and touch-desks are empty, and they are going to stay as such for the foreseeable future – some of the largest companies in IT have banned their employees from going to the office until the end of the year, or even longer. Now, everybody is working from home. And now, it doesn’t matter how much money an individual saves on reduced office space – the individual is not using it anyway.

So now, even those managers that were the strongest opposition to change in business processes and practices, in order to make them more IT secure, understand that something has to be done. The problem is that they are so encapsulated in an old way of thinking that they don’t know what to do.

This is why they have to be educated first in order to be able to make informed decisions. They need to know what is wrong and what is right. If someone comes to them today and says: “Let me sell you an online course on how to include IT security in managing your companies in an effective way, appropriate to a new reality,” most of them would probably agree instantly. If nothing else, for the reason that they now have more free time than before. And, it has to be someone from the outside, because they have already been listening to so many ITSEC people, telling them what needs to be done, that they have developed a reflex of not listening to them.

The major focus on IT security’s part is to shape these trainings so that those that receive the training understand the impact of weak IT security and that some of the things simply have to change.

Such a training has to contain:

• A clear and realistic explanation of cyber-crime is now a multinational crime behemoth that is bigger than any of the companies it is running.
• A list of common practices that have a huge negative impact on IT security; with easy to understand, real-life examples of when things went really bad.
• A list of business practices that, because of the things stated above, have to be changed; and those changes introduced as the new normal.
• A clear message that not just them, but all of the employees in the company have to conform in the future to new practices (managers love this part).
• Guidelines for all verticals for the type of action they need to take (IT, IT SEC, lines of business, finances, HR). These guidelines should include not just mandatory training for all employees, but also compliance checking, and an explanation of necessity to punish employees that are not doing their part (like having Joe_05121989 as one’s password).

If one manages to sell them this training, one should have already prepared training for the employees as well; with infrastructure to deliver it and a reasonable price tag attached to it.

Then, if the management has participated in these trainings and has taken them seriously, most of them probably would. Some real progress can be made in the sense that all of the people should start taking some responsibility for IT security, and not waiting for deus ex machina to save them.