And yet your staff still break the rules. Every. Single. Day.
At first glance there can only be two reasons for this
flagrant violation of the security policy.
Either the staff are ignorant and don't understand the rules, or they
are troublemakers and dismissive of the need to follow them. The obvious answers are more computer based
training and stronger rules. Perhaps a
new screen-saver and some posters will help.
Perhaps not.
I've undertaken social engineering assignments that
involved getting into the IT department of a large bank. Past reception, through the first swipe card
door, past the guard station, through the second swipe card door. Not just once, but on multiple consecutive
days to prove that it wasn't a fluke.
Everything was in plain sight of bank employees and contrary to their
policies.
So are the bank employees ignorant or troublemakers? Maybe some are one or the other, but the vast
majority are neither. They are
sensible. Just to be clear, I am saying
that breaking the security rules is sensible for many employees of many
businesses.
Think about it in economic terms. Employees are paid for getting the job
done. They get fired for not getting the
job done. They almost never get fired
for breaking the rules. In fact there is
rarely any consequence of breaking the rules at all.
So given the choice of getting the job done by breaking
the rules, or not getting the job done by following the rules, which is the
rational choice? The one they all make.
Which brings us to the crux of the matter. Security rules that get in the way of getting
the job done will be ignored. A culture
of getting the job done first and compliance with rules a distant second,
fosters breaking the rules.
When recast this way, there really are two obvious ways
forward. Either promote a culture where
we look at security in the same way manufacturing businesses look at safety,
and report every incident and near miss.
Or mercilessly fire people for non-compliance.
