The user is the weakest link. Really? Part 2

Publish date:

Let’s leave the somewhat depressing thought from my previous blog, that ICT people are the weakest link for what it is for now. Yes it might be true, as they’ve designed, developed and maintained ICT that combines badly with known vulnerable human behaviour. Let’s go one step further and determine how expected human behaviour can […]

Let’s leave the somewhat depressing thought from my previous blog, that ICT people are the weakest link for what it is for now. Yes it might be true, as they’ve designed, developed and maintained ICT that combines badly with known vulnerable human behaviour. Let’s go one step further and determine how expected human behaviour can be used for the best, even with inherently insecure ICT.
 
A few weeks ago I was talking about information security with a CEO of a large services provider. He had done the well known sort of risk assessment workshop with his accountant and might have done some awareness activity, but information security was not very much on the management radar even if there were some crown jewels to protect. Employees were not very concerned either. The CEO on the other hand somewhat fondly observed that the folks in his organization were really entrepreneurial and focused on action. Managing risks is not really on their minds though and that concerned him a little.
 
Although the main course of action in such cases could be raising awareness with a solid communications campaign and perhaps training, we ventured into a different area. Why not take that strong and internal incentive of the employees as guiding principle? They want to work hard, anywhere, anytime. That means new devices on the network everyday, working remote and so on. Why not combine the need to work anywhere, with any device, with subtle ‘ blockades’ and ‘funnels’ that force employees to adopt secure behaviour.
 
Yes you can work on the company network with your smart phone, but only with the right certificates and a VPN connection that will only connect if you’ve got an up to date virus scanner. A small example perhaps (and not complete), but technology in itself offers a lot of possibilities to subtly lure people into secure behaviour or steer them away from insecure actions.
 
For other organizations with different cultures than the services provider described, other incentives might work better. The military for instance probably gain much more than most other organizations from clear and communicated regulations.
 
I therefore believe that we can gain a lot of ground as information security discipline, if we take organizational culture and human behaviour into account. Change management and the way other support functions in organizations work with the business can be inspiring. There’s still a lot to learn for us in infosec!

Related Posts

Digital Transformation Institute

Implementing intelligent automation in Insurance: A roadmap for success

Alan Walker
Date icon September 17, 2018

Four distinct phases for a firm’s automation journey: creating a vision and garnering...

Artificial Intelligence

How the machines are taking over the UK energy sector, and why all of us should want them to

Tom Green
Date icon September 14, 2018

AI is now being adopted across the electricity value chain and this innovation in the sector...

cookies.

By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.

Close

Close cookie information