Ask Slashdot: How Can We Create a Culture of Secure Behavior? 169
An anonymous reader writes "Despite the high news coverage that large breaches receive, and despite tales told by their friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. They think those types of things happen to other, less careful people. Training users how to properly create and store strong passwords, and putting measures in place that tell individuals the password they've created is 'weak' can help change behavior. But how do we embed this training in our culture?"
Good morale, perhaps? (Score:2, Interesting)
In my experience, a company with high employee morale has people who will tend to listen and follow security procedures, even when it might be time consuming. Even small things like stopping someone who slips past a door without badging in, or asking who someone is who is in a building without some ID.
With poor morale, there isn't much for the people to bother with security. I've seen companies try to save money by offshoring... then lose a lot more due to breaches than they would have spent by keeping existing talent in house.
Start early on with training and rules (Score:2, Interesting)
While it may seem draconian, the best way I've found is to start from the ground up with recurring training. Make the training mandatory, but unobstructive, and ensure you get the people to sign they understand the rules. You'd be surprised just how much of a difference you will get from anyone if you have a piece of paper with their signature on it, there just isn't the same value in an emailed "ok, I got it".
There is a delicate balance between security and convenience, so you need to make sure that whatever you do to your end users doesn't bother them too much. Having purely random passwords is sure to get them to write it down and stick it under their keyboard. Having too loose of passwords is what will get you on the front page. However, if you can give them some leeway while maintaining some length and complexity in the passwords (i.e. pointers on using passphrases or self-made acronyms), you can go a long way. You might make a game out of your training too, give out some cheap prizes like lollipops or something, for various categories of passwords that the users create as part of the training. Who can make the best 24 character password? Who can make the funniest 12 character? etc... Engage them, give them something to remember, but hold them accountable for their (lack of) actions as well.
Password strength is overrated (Score:5, Interesting)
In my 25 years working in IT, none of my passwords, weak or strong, have ever been hacked. Even my teenage sons, who have no idea about password strength, or site security, have never been hacked. And I doubt YOU can point to a single instance of someone hacking YOUR password.
Does password hacking happen? Yes, of course. Should we be careful? Yes. But there are much greater dangers, such as malware (which you no doubt HAVE had a personal brush with).
So if we need to put up with annoying security measures, let's at least focus on the more relevant dangers, rather than forcing us all write down our passwords and stick them to the bottom of our keyboards!
Re:How Can We Create a Culture of Secure Behavior? (Score:4, Interesting)
Or more succinctly: incentives matter. What incentive does an employee have to keep data secret? Will he be demoted in rank and lose pay if he does something stupid?
What incentives do companies have to maintain a secure infrastructure? Will their insurance policy hold them liable if they do not?
I'm just in the middle of polishing up a puppet module to deploy a bunch of new certs on my infrastructure. My incentive is that my reputation looks pretty bad if I advise clients to be secure but my own infrastructure is not up to snuff. That's really an incentive to avoid lost opportunities, I suppose.
Google is talking about scoring up pages that are secure. Another very wise incentive.
Let's keep this ball rolling: what other incentives can we offer or explain?
Re:This approach has gone nowhere for years (Score:5, Interesting)
Re:This approach has gone nowhere for years (Score:4, Interesting)
It's working quite well. The cost of all that is very low on the scale of the banks and that's what matters. It's simply not about "0 incidents", it's about limiting the damage to little enough that it's not important.
Partly that depends on the bank, of course, as some are total dicks about it if your card gets skimmed, but that's a customer service problem. Detecting the problem, limiting the cost, and so on are all important systems that banks take seriously. And the banks are gradually making systemic, low cost changes to reduce the ease of skimming, or of hacking an ATM, but they're not in a hurry as it's just not that expensive of a problem (how many ATM heists to equal a single mortgage default?). More importantly, they're not trying to fix their customers!