• United States




Are you encouraging your employees to take security risks?

Oct 05, 20165 mins
IT LeadershipSecurity

By now, I suspect that most everyone is familiar with the Wells Fargo scandal. For those that have been living under a rock for a few days, approximately 5,300 Wells Fargo employees have lost their jobs because they were opening fraudulent accounts in the names of unsuspecting customers in an effort to hit their incentive bonus targets.

There are some curious elements to this fraud. First, according to The New York Times, the employees were provided with ethics training warning them specifically against such practices. Second, there is evidence that some members of management were aware of the practice, and did not stop it. Most surprising is the fact that Wells was hit (so far) with $185 million in fines and penalties, all because of only $2.6 million in fraudulent fees.

The folks at Defensive Security last week pointed out the strong parallel between this case and employee security, bringing into question whether we are incentivizing employees to employ poor security practices while at the same time training them on good security practices.

If you think through this correlation carefully, you should quickly see the connection. We incentivize employees to be productive, in most cases with formal targets for work completion. Even when such targets are not explicitly stated, it is understood that employees who don’t get their work done will miss out on raises and promotions, and potentially lose their jobs. At the same time, we saddle them with an ever-increasing list of security requirements.

In the information security world, the not so carefully guarded little secret is that conforming to security rules reduces productivity. I might claim that everyone could follow safe security practices and continue to be as productive as they would without following them, but this would be dishonest.

In fact, following the rules will definitely impact productivity to a varying degree. As an example, we tell our employees to be cautious about clicking on links in email, but then we press them to finish work that relies on links sent via email. We may also require them to research topics, while blocking a large number of websites for security reasons.

One such mixed message hit home for me last week. The organization for which I currently consult blocks cloud storage sites such as Dropbox, to ensure that any storage of sensitive data is properly protected. In a meeting with users last week to discuss this blocking, we were told in pointed fashion by many that such blocking was making it harder for them to do their jobs.

In my article “Information security and employee productivity in conflict,” I cited a study in which 91% of those surveyed claimed that following security rules impacted their productivity. In the same article, I confessed that, as a cybersecurity professional, employee convenience has never topped my priority list. I, like many in this field, tend to put security first, and other considerations a distant second.

Given the fact that ransomware is rampant today, with opening attachments or clicking links the main mode of infection, it is imperative that we make employees part of the security process, rather than telling them how to stay secure, and then demanding that their productivity remain constant. Otherwise, the inherent conflict will continue to expose our organizations to security failures.

So, how do we balance productivity with security? The following are some thoughts:

Seek understanding

If you are anything like me, you probably remember your parents telling you to do or not to do something, without them really understanding how their decision impacted you. If you impose stringent security requirements on employees with them having little or no understanding of what issues need to be addressed and why they are important, you get the same reaction.

As Stephen Covey so aptly put it, “seek first to understand, then to be understood.”  Live in their shoes for a bit, understand their struggles, and then help them to understand why your security requirement are important.

Involve employees from the start

Just as the major automobile manufacturers have for many years sought input from their assembly line workers on improving efficiency, we must involve employees in the process of balancing security with productivity. Build an advisory team from across the organization, and discuss with them the security issues that you need to address. Get their input on how to address those issues with minimal impact to their work. And most importantly, listen to them.

Address the workload impact

Given the growing cybersecurity threat, we will be forced to make hard decisions that involve imposing requirements that make more work for employees across the board. It is unreasonable, however, to expect them to absorb the extra work while continuing to finish all other tasks. Your staffing levels and assignments must take into account the extra overhead necessitated by security controls.

Find balance

I am working on a mobile media encryption project for one organization. We had initially planned to require employees to encrypt all removable drives, including the content already on them. Once we recognized the overhead and frustration this would involve, we elected only to encrypt free space at this phase. This is not quite as secure an approach, but will serve the needs of the organization better in the long run.

Bottom line — cybersecurity is hard, and those of us charged with protecting it need all of the help we can get. When done correctly, it is possible for your employees to be allies in that fight, rather than bystanders or even enemies. Incent them from the start to be a positive force, and not a negative one.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author