Earlier this week, I published an article with ITSP Magazine that discusses a newly brewing concept within Enterprises around penalizing employees for bad security behavior. Can you imagine if your company penalized you for clicking on a phishing link? Or because you bent the security rules in order to get something done more easily?
As we look at recent big high profile data breaches, we have learned that many are started from the inside. CISOs are shifting their strategies and prioritizing how to tackle internal threats (insiders, naive users and detecting breaches). According to a recent Dimensional Research report, nearly 50% of IT security professionals are more concerned about internal threats than external.
With the potential cost of brand loss, intellectual property and breach response being so high, it’s no wonder that some companies are looking to find new ways to reduce their risk. Is it so far fetched that we might tie employee cyber security success to Management Business Objectives (MBOs)?
As we have seen, a company’s financial success can be dramatically affected by a security breach. Employees need to become part of the security fabric of their organization to help improve overall company performance. And it should be every employee’s responsibility, at all levels, to act as securely as they can.
So why not give employees incentives and penalties for meeting security objectives? They are given the same for meeting other important MBOs which may be tied to their bonuses.
I encourage you to read the full ITSP Magazine article so you can dive deeper into how an organization can put this into practice as well as the types of penalties that might be effective. Here are some of the highlights we dig into.
Implement Measurement Tools that Monitor User Behavior
If you are already using a User Behavior Analytics (UBA or UEBA) solution, you have the underpinnings to measure and understand where the weak links are. You know where risky users are, which employees have weak passwords, who is sharing accounts, which privileged users are engaging in risky activities to get their work done faster, and more. Users can receive individual risk scores based on their behavior that can be compared with others in the company or in their department who those who have similar roles. This provides the measurement tools you need to set objectives, define penalties and also provide feedback to employees.
Factors and Type of Penalties
How companies implement penalties for individuals could vary based on a variety of factors. For example, employees with more access to sensitive data, or privileged users, may have stricter penalties. To implement successfully, there are two key factors; 1) educate in real time so employees can learn what they did wrong 2) Ensure that business is not interrupted. Here are a few tpes of penalty examples that could be used:
- Annual Bonuses
Nothing gets people’s attention more than how it might affect their pocketbook.
- Work Inconvenience
Forcing an employee to take extra steps next time or blocked for a period of time. While these could be considered controversial in some businesses, they can be useful techniques to incent employees not to do something again.
- Executive Alert
What employee would want their boss (or boss’s boss if behavior continues) getting a note about them doing something wrong?
As organizations continue to look at ways to reduce their overall risk and improve their insider threat program, it is clear that employees themselves need to be a part of it. The old idea that “security needs to be invisible” needs to dissolve and employees need to become part of the solution rather than continue to be part of the problem. implementing Security MBOs with associated rewards/penalties may help you get a step ahead.
Learn More about how Preempt can Help Improve Employee Security Behavior and Prevent threats
To learn more about how a solution like Preempt can help you with this type of initiative, feel free to contact us for a demo. Preempt can help you measure and score your users as well as interact with them when they engage in risky behavior. It can prompt them to update their password, use multifactor authentication to verify identity, or block them when they are doing something very risky. This allows the security team to easily track employees over time and define what an individual cybersecurity MBO might look like.