Assume that it’s time for Bob’s performance review.
Bob’s boss says he’s a great addition to the team. Easy to work with!
And the sales numbers? Hot mama, Bob’s smokin’! Mr. Bob surely has worked himself toward a big, fat raise!
Or not. Bob would have gotten a raise, that is, but he got fooled by a phishing email and unwittingly invited the bad guys in through the front door, torpedoing Widget Industries Ltd’s multimillion-dollar investment in security systems.
Fiction! But can you imagine if this were really the way employees were assessed? They answer a phishing scam email, they trigger a major security breach, and then they’re held accountable?
This is an approach that big companies might actually think of adopting, according to Dave Clemente, a research associate in the field of security who works at Chatham House, a London-based think tank on international affairs.
Speaking to Business Reporter, Clemente suggested that reprimands, at the very least, might help companies whose employees undo millions of dollars of security expenditures by doing something as simple as opening a bad email:
Even if it’s innocent, you can spend millions on firewalls and one of your employees can undo that by opening a dodgy email. … One idea would be to encourage employees to be more careful. You could have a system where, if you open two or three of them [phishing emails], you get a reprimand.
I think people would comply, particularly if your behavior regarding cyber security was linked to your annual assessment.
Of course, beyond the misdeeds of Bob and his ilk are the security disasters that companies manage to bring down a bit more systematically onto their own heads, particularly when jumping on the bandwagon for new trends and technologies without first figuring out the security implications, Clemente says:
For bigger companies, one problem is efficiency drives which push companies into insecure behavior, like moving into the cloud or doing BYOD [Bring Your Own Device] before you realize the security implications, because everyone else is doing it. It’s done as a reaction to what other people are doing and done without being integrated into the company’s technology strategy.
Moving data to the cloud can be particularly tempting to small firms with limited resources who struggle with the burden of dealing with cyberthreats, Clemente noted.
It’s not such a bad idea, given that cloud services can have a decent amount of security, he said, but the downside is that small businesses lose control over data stored in someone else’s hands.
If we move toward holding employees accountable for goofy clicking, should C-level types likewise be held accountable for security fiascos that erupt out of their jumping on technology bandwagons such as BYOD and cloud services?
Call me a liberal weenie, but I’d suggest that decent training might produce better effects than whipping employees.
It all reminds me of a July 2012 article by Immunity Inc. CEO Dave Aitel in which he discussed whether security training might be futile.
Aitel said at the time that in spite of a conscientious approach to security training, his clients still have, on average, a click-through rate for client-side attacks of at least 5 to 10 percent.
Even the training software his clients use has “glaring flaws,” he said, including SQL injection and cross-site scripting – the two most common vulnerabilities in OWASP’s Top 10 list of application security risks.
What’s the answer? Reprimands? Performance assessments that take people to task for security snafus?
I’d say no. I’d suggest that better training might be the way to go.
After all, there are scads of training success stories, many of them posted in reply to Aitel’s PCWorld article.
What do you think? Should we put scam-clicking employees in stocks and toss tuna sandwiches at them, or is there a better way to improve security?