Helping users change their security postures – we all win!
The SANS Security Awareness Summit is the highlight of my year in terms of being with “my people” and learning the latest and greatest innovations and thought leadership in the industry. My brain is exhausted from the wide-eyed, don’t even take time to blink knowledge absorption coming from fantastic industry leaders all day and exchanging learnings and success stories with my peers at night. It’s not just another security summit, it is THE summit that is purely focused on changing behaviors in our organizations to steer our employees to more secure behavior.
In a nutshell the first thing that stood out for me this year is the heavy digging into the behavioral sciences to better understand how to change behaviors in our employees from risky actions to more secure behaviors. Year over year, security research and reports, from the global industry reports like the VDBIR to the reports done by vendors in the space, tell the same story that humans are often the cause of breaches or the victims of adversaries in their plots to steal our data. “If only our employees could be the solution instead of the problem” is the mantra we’ve all been chasing after for at least the 16 years I’ve been in the industry.
I’ve seen my peers’ organizations (and the ones I’ve worked with) move up the scale of the Security Awareness Maturity Model way past checkboxing compliance to really, really, did I mention REALLY wanting to impact users to step it up in our quest to secure our data and organizations. It seems the industry as a collective whole, on average, is hammering away at stages four and five of the model; changing behaviors with the ability to measure that change.
The joy to have reached this far up the maturity scales is exhilarating. To be honest, I never really got too jazzed about newsletters and stickers and cafe games because they seemed to be the best we could all come up with at the time but they seemed to do very little to change our risk landscape.
And we’ve all been straining to find metrics that reasonably measure behavior changes tied directly to our efforts. Phishing simulations were the first good alternative to arrive on the scene but our users are becoming better at recognizing suspicious emails (thank God!) and the simulations can leave a bad impression on our users if not done with care and empathy.
So instilling positive behavior change that we can measure is where we all find ourselves and where we will start beginning to see breakthroughs as our collective consciousness drives toward solutions in our industry.
As a vendor for security and risk teams, at Code42 we’ve already started building short nudge guidance (or trainings) to send to users when they’ve moved data into or out of untrusted sites, apps or devices. This is exciting because we meet the users at the moment they make a risky choice and are able to remediate the issue and at the same time give the user specific guidance on how to get their task done in a more secure manner. Oh, and these “nudge” guidance videos are short (typically 3 minutes) so we are not impacting productivity and in our early studies, employees are actually grateful for the clarification of what the security team wants in details a policy just can’t cover.
This is a paradigm shift for all involved.
- Analysts are now in the position to offer the guidance as part of their incident response plan, with the click of a few buttons
- The employee is not shamed for making a mistake, instead they are offered the detailed guidance they were seeking to make the right choice
- The awareness team isn’t running solo trying to change behaviors in mass with corporate communications, flyers or annual trainings
The best part is that the results are measurable. Not only can analysts measure quantities of similar events before and after implementing the nudge guidance, but they also see a downward trend on those mistakes that put data at risk, leaving more of their time to spend on higher risk events.
The other item stressed at the SANS Security Summit in terms of behavior change was to pick one behavior at a time to tackle. When our team implemented the nudge/guidance training (referred to as Instructor) they focused on a common problem of employees granting too broad of access on their documents, usually to make it easier for ALL their partners to easily access it. But that access was also often granted to people who did not need to see the information so Incydr would alert on those. Our analyst developed an automated conversation in Slack by starting with presuming positive intent (innocent until proven guilty) and found most users were unaware their actions were so risky. Then they were sent the 3 minute nudge guidance they needed. Follow up communications showed a content, more educated users who did not resent the security intervention.
Additionally, our team found that this automated way of sending guidance:
- sliced 5% off the time our analysts needed to respond to alerts
- repeat offenders who received the nudge guidance was cut to ZERO
- unintentional oversharing of documents has continued to decline
So we’re doing it here at Code42 and I’m excited for our customers to start using Instructor with Incydr to reap the benefits of changing user behaviors to lower risks in a way that is measurable! One thing to note is that this approach works best when done within a positive security culture, which is more and more the trend of security teams worldwide (another exciting development in the field).
Good luck on your programs and getting your humans to be a larger and larger part of decreasing risks at your organization. It’s an exciting time!