Are you encouraging your employees to take security risks?

By now, I suspect that most everyone is familiar with the Wells Fargo scandal. For those that have been living under a rock for a few days, approximately 5,300 Wells Fargo employees have lost their jobs because they were opening fraudulent accounts in the names of unsuspecting customers in an effort to hit their incentive bonus targets.

There are some curious elements to this fraud. First, according to The New York Times, the employees were provided with ethics training warning them specifically against such practices. Second, there is evidence that some members of management were aware of the practice, and did not stop it. Most surprising is the fact that Wells was hit (so far) with $185 million in fines and penalties, all because of only $2.6 million in fraudulent fees.

The folks at Defensive Security last week pointed out the strong parallel between this case and employee security, bringing into question whether we are incentivizing employees to employ poor security practices while at the same time training them on good security practices.

If you think through this correlation carefully, you should quickly see the connection. We incentivize employees to be productive, in most cases with formal targets for work completion. Even when such targets are not explicitly stated, it is understood that employees who don’t get their work done will miss out on raises and promotions, and potentially lose their jobs. At the same time, we saddle them with an ever-increasing list of security requirements.

In the information security world, the not so carefully guarded little secret is that conforming to security rules reduces productivity. I might claim that everyone could follow safe security practices and continue to be as productive as they would without following them, but this would be dishonest.

In fact, following the rules will definitely impact productivity to a varying degree. As an example, we tell our employees to be cautious about clicking on links in email, but then we press them to finish work that relies on links sent via email. We may also require them to research topics, while blocking a large number of websites for security reasons.

One such mixed message hit home for me last week. The organization for which I currently consult blocks cloud storage sites such as Dropbox, to ensure that any storage of sensitive data is properly protected. In a meeting with users last week to discuss this blocking, we were told in pointed fashion by many that such blocking was making it harder for them to do their jobs.

In my article “Information security and employee productivity in conflict,” I cited a study in which 91% of those surveyed claimed that following security rules impacted their productivity. In the same article, I confessed that, as a cybersecurity professional, employee convenience has never topped my priority list. I, like many in this field, tend to put security first, and other considerations a distant second.

Given the fact that ransomware is rampant today, with opening attachments or clicking links the main mode of infection, it is imperative that we make employees part of the security process, rather than telling them how to stay secure, and then demanding that their productivity remain constant. Otherwise, the inherent conflict will continue to expose our organizations to security failures.

So, how do we balance productivity with security? The following are some thoughts:

Seek understanding

If you are anything like me, you probably remember your parents telling you to do or not to do something, without them really understanding how their decision impacted you. If you impose stringent security requirements on employees with them having little or no understanding of what issues need to be addressed and why they are important, you get the same reaction.

As Stephen Covey so aptly put it, “seek first to understand, then to be understood.”  Live in their shoes for a bit, understand their struggles, and then help them to understand why your security requirement are important.

Involve employees from the start

Just as the major automobile manufacturers have for many years sought input from their assembly line workers on improving efficiency, we must involve employees in the process of balancing security with productivity. Build an advisory team from across the organization, and discuss with them the security issues that you need to address. Get their input on how to address those issues with minimal impact to their work. And most importantly, listen to them.

Address the workload impact

Given the growing cybersecurity threat, we will be forced to make hard decisions that involve imposing requirements that make more work for employees across the board. It is unreasonable, however, to expect them to absorb the extra work while continuing to finish all other tasks. Your staffing levels and assignments must take into account the extra overhead necessitated by security controls.

Find balance

I am working on a mobile media encryption project for one organization. We had initially planned to require employees to encrypt all removable drives, including the content already on them. Once we recognized the overhead and frustration this would involve, we elected only to encrypt free space at this phase. This is not quite as secure an approach, but will serve the needs of the organization better in the long run.

Bottom line — cybersecurity is hard, and those of us charged with protecting it need all of the help we can get. When done correctly, it is possible for your employees to be allies in that fight, rather than bystanders or even enemies. Incent them from the start to be a positive force, and not a negative one.