An informal study conducted in June by KnowBe4 at the Infosecurity Europe trade show revealed that 55% of security professionals admit to engaging in risky online activities at work. The survey found that one-third of participants used entertainment or streaming services against company policy, 15% subscribed to too many email lists, and 13% opened potentially malicious email attachments.
Javvad Malik, lead security awareness advocate at security training company KnowBe4, said this kind of “overconfidence” on the part of IT teams can do as much damage to an organization’s security as the risky behaviors themselves.
“It’s very much a case of do as I say, not as I do, and I think that really rubs people up the wrong way,” Malik told IT Brew. “It kind of reminds me of the saying, ‘I’ve never been in a car crash myself, but I’ve seen tons in my rearview mirror.’” These and other attitudes can alienate IT teams from the rest of the company and make their jobs more difficult.
When Malik speaks to organizations having trouble making progress with their security awareness program, Malik said his first question to them is always, “What’s your relationship like with your colleagues?” He added, “They sometimes give me a quizzical look, like, what does that have to do with anything? And I’m like, that has everything to do with everything.”
Memes. An IT security professional with over 20 years of experience as an administrator, consultant, industry analyst, and security advocate, Malik has seen a thing or two. So, we should probably trust him when he insists that good corporate cybersecurity starts with having a Slack channel where people share memes.
Yes, memes. Or at least something along those lines. From Malik’s perspective, convincing employees to follow security protocols requires building a relationship with them outside of just telling them what they can’t do—be it memes or anything else that makes people see the IT pros as anything other than a faceless department making you jump through two-factor authentication apps, watch boring security videos, or think twice before watching Netflix on your company laptop.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“If you build that relationship with them and treat them as colleagues,” Malik says, “then they’re far more likely to trust you or come on board with you when you ask them to do something to protect the organization.”
Department of no. Malik says IT teams make a mistake in thinking that their job is only to tell colleagues how to create long passwords or enable multi-factor authentication. They need to explain why they need to practice good security hygiene.
Malik says employees are more likely to do an end run around security practices if they view the IT department as the “department of no.” By understanding the motivations behind certain behaviors, Malik said, security teams can encourage safer practices without impeding productivity.
Future-proof your security. Hackers will continue to find ways to infiltrate networks with sophisticated phishing attacks using generative AI and whatever is next. But Malik said that creating a strong culture of security will future-proof your security protocols: “We’re talking about behaviors and psychology of people and how they interact or react to certain scenarios. And once you build up that framework, then the idea is that hopefully, whatever the new technology is, or whatever the new thing is, that they can apply that framework and, and navigate safely.”