Within an organizational environment, the cultural norms are what drive attitudes and behaviors. It matters little what corporate policies or employee handbooks have to say if the day-to-day ‘tone’ of the organization is inconsistent with its printed materials.
In many organizations, a complex set of “security policies” is used as a record – for the purposes of conformance – to document its formal expectations of employees and others. While policies are great in theory, they often exist solely for the purpose of satisfying external audit requirements.
The truth is; many organizations maintain a set of security policies that are archaic, ineffective, unreadable, unusable, and go unread! Yes, you can produce signed statements from employees that show they ‘read the policy’ upon hire and once annually, but if you stop someone in the hallways can they tell you anything at all about those policies?
So, if there’s a disconnect between what your policies say, and the cultural norms that exist within your organization (which there usually is), then what is actually informing peoples day to day decisions about how to handle information properly?
What drive’s MOST people’s understanding of security, within pretty much any-sized organization, is what they see in the media (including social media) or what they pick up from their friends and family members.
For the most part, every organization places its full faith and truth in the fact that ‘someone’ is taking care of that security stuff. People might see a training reminder or an e-mail notice about something security-related a few times a year, but that does little to dissuade the misinformation, misperception, and misapplication of security as it applies within YOUR unique organizational context.
When cyber attackers come looking for a way into your organization, it’s not going to be through the front door. It takes FAR less time, effort, and energy to use a social engineering exploit to gain an initial foothold than it does to attack a firewall head-on.
It’s what your people do, based on their ASSUMPTIONS about security that matter most; assumptions that are based on their extremely limited insight into the risks and proper decision-making criteria that should be applied when working with information; especially sensitive information like credit card data, health care records, or bank account details.
Make no mistake – people are the weakest link in the chain – IN EVERY SITUATION – when it comes to information security. It’s not because they don’t care though – it’s often that they just don’t have the right information – or the right set of principles to work from. Most people want to do the right thing. They just need to know what the right thing is…
We must begin to engage people in the process of information security on an every-day basis, not as a perception-driven and error-prone acceptance of risk, but as an informed instinct that helps reduce risks across the board.
At SecureITExperts we focus on eliminating the unnecessary clutter that’s in place today, simplifying the security process, and working to shift cultural norms to be in direct alignment with an organization’s DEFINED risk-tolerance thresholds.
We don’t deal with firewalls or other security products – we deal with the complexities of the human element. Are the humans in your organization the weakest link? If the answer is ‘no’, then the next question is “how are you so sure”?
If you can’t answer that question – we can help find an answer with you…