Penalties For Insecure Employees. Yes? No?

By Heather Howland

What would you think if your company penalized you for clicking on a phishing link? Or because you bent the security rules in order to get something done more easily? In today’s day and age, we are seeing big public (and expensive) breaches almost every day. With the cause of many of these big breaches coming from the inside, CISOs are shifting their strategies. A recent Dimensional Research report found that nearly 50% of IT security professionals surveyed are more concerned about internal threats than external.

Is your organization taking all the necessary steps to ensure that cyber risk is sufficiently being managed? And is it so far fetched that we might tie employee cybersecurity success to Management Business Objectives (MBOs)? According to the last Verizon Data Breach Investigation Report, 30% of phishing emails are still opened by employees. And 63 percent of the confirmed data breaches involving a weak, default or stolen password. With the potential cost of brand loss, intellectual property and breach response being so high, it’s no wonder that some companies are looking to find new ways to reduce their risk.

To turn this around, training employees is clearly a priority. However, Dimensional Research also found that while most organizations (approximately 95%) provide end-user security training, only 10 percent of IT Security Professionals believe the training is very effective. Anecdotally, CISOs often say that it’s because the training is done infrequently, not in context of risky employee behavior and there are minimal to no consequences if they do something wrong. They’re just checking the box that illustrates a completion of training.

Something’s got to give. A company’s financial success can be dramatically affected by a security breach. Employees need to become part of the security fabric of their organization to help improve overall company performance. And it should be every employee’s responsibility, at all levels, to act as securely as they can and to give them incentives and penalties for doing so, just as they are given the same for meeting other important MBOs which may be tied to their bonuses.

How might an organization put this into practice? The ability to measure and understand where the weak links are in an organization is key. Solutions like User Behavior Analytics (UBA) can be implemented to allow organizations to better understand where their risky users are, which employees have weak passwords, who may be sharing an account, which privileged users are engaging in risky activities to get their work done faster, when they are doing it, and more.

Once you have visibility into user behavior, it is possible to track and measure. Users can receive individual risk scores based on their behavior that can be compared with others in the company or in their department who those who have similar roles. UBA solutions can even interact with users when they engage in risky behavior. It can prompt them to update their password, use multi-factor authentication to verify identity, or block them when they are doing something very risky. This allows the security team to easily track employees over time and define what an individual cybersecurity MBO might look like.

With this knowledge, companies can set objectives, define penalties and also provide real-time feedback to employees so they know where they stand and have the tools needed to understand whether or not they are a security ace or a security flop. It can even be gamified so that users can track progress and compare performance to their peers. But to change behavior and better train employees, they need to understand what they are doing wrong so that they can change it. And if they continue to make those same mistakes, this is where a company can start to enforce penalties.

While the concept of penalties may sound harsh, depending on the company, the losses from a data breach can put a company under, cost them hundreds of millions of dollars, result in brand damage and more. So, how companies implement penalties for individuals could vary based on a variety of factors. For example, employees with more access to sensitive data, or privileged users, may have stricter penalties.

To implement this successfully, there are two key factors; 1) educate in real time so employees can learn what they did wrong 2) Ensure that business is not interrupted.
 

3 Areas Where Penalties Could Be Effective

First, there are annual bonuses. Nothing gets most people’s attention more than money. As part of an employee’s personal MBOs, they need to maintain an acceptable average “risk score.” If they maintain a consistent low-risk score, they meet the objective and perhaps there is an additional financial incentive for rewarding good behavior. But if their risk score is higher than it should be, perhaps this could negatively impact a percentage of their annual bonus plan. Or this could be tied to overall corporate security goals/requirements. This way, employees know that their behavior also impacts everyone else in the company.

Second, there is what I call “inconvenience” penalties. Inconveniences can help people learn not to engage in risky behavior because it will temporarily make it more difficult for them to do their job. These penalties may be viewed as more controversial because you could be slowing down job output but make employees much more aware of when they are doing something wrong and why. In essence, giving them real-time training and feedback with motivation to not do that behavior again.

Inconvenience penalties could include things like requiring risky users to take a real-time security training module so they learn what they did wrong and what to do next time. It could also be forcing an employee to use multi-factor authentication every time they access certain systems for a period of time. Or perhaps they are put in a penalty box and are prevented access for a limited time (blocked for 1 hour for example) or have them take extra steps, like getting approval from the security team or their boss, in order to get out of the penalty box sooner.

Third, there is executive alerting. This is kind of equivalent to your teacher sending your parents a note when you were in school and did something bad. The lecture you get from your parents can be enough to help you learn a lesson. If an employee is engaging in a certain type of risky behavior or if their risk score is consistently too high, then an automated alert could be sent to their boss and/or senior leadership. No employee wants their boss (or their boss’s boss) to receive notes that show they are doing something wrong.

As organizations continue to look at ways to reduce their overall risk and improve their insider threat program, it is clear that employees themselves need to be a part of it. We can’t rely on more security gear to better protect the company from employee mistakes. The old idea that “security needs to be invisible” is starting to dissolve. More contextual real-time training and implementing Security MBOs with associated rewards/penalties will help employees become part of the solution rather than continue to be part of the problem.


About Heather Howland

Heather Howland is Vice President of Marketing at Preempt. Heather has over 20 years of experience marketing enterprise security and infrastructure solutions at both innovative startups and market leading companies.

More About Heather