A lot of cybersecurity solutions and journalism focus on the threat of the outside hacker or fraudster – someone who’s actively trying to invade your organization to steal valuable data, lock it down for ransom, or simply sow chaos.
While these are indeed very serious threats that must be kept at bay, this sometimes leads to another problem going ignored: insider threats. The biggest insider threat isn’t willful attacks, its willful disregard for security guidelines and human error.
Many Security Problems Come from Inside Your Organization
One study reports that 64% of the insider threats they tracked were due to staff negligence – careless behavior or human errors (DTEX Systems, 2019). For comparison, only 13% of their tracked insider threats involved compromised/stolen credentials, and only 23% involved intentional staff attempts to harm the organization.
1. Security is Only Secure If It’s Used
It shouldn’t come as a surprise, given the huge amount of money made on time-saving appliances, software, and other solutions in the consumer market, but human beings like convenience and hate hassles.
When it comes to security countermeasures, both physical and electronic, there often appears to be an inverse relationship between protection and ease of use. Unfortunately, there comes a point where the system becomes less secure, not more secure, because it’s so time consuming and/or frustrating that staff don’t want to deal with it.
Culture Clash: When Staff Train Other Staff to Bypass Security
Sometimes systems of circumventing security become so endemic to a workplace that they become an unofficial part of the onboarding process. New hires are taught by their compatriots that “this is what everyone does,” with peer pressure both reinforcing the practice and holding them back from reporting it.
“More recently, we’ve heard senior staffers chortle about how the most junior person on a medical team is responsible for regularly pressing the space bar on everyone’s keyboard to prevent the computer from logging off the current user.” (Blythe, Koppel, & Smith, 2013)
The perception in this situation can be that the higher ups “just don’t get it,” and don’t mind imposing unreasonable procedures on the folks in the trenches because they don’t have to deal with them themselves.
“In settings in which access workarounds are discussed among groups in the lunchroom, violations appear to be trivial and arbitrary. Rather than being seen as protective, the rules are seen as annoying, like anti-jaywalking laws.” (Blythe, Koppel, & Smith, 2013)
Once this sort of trend takes hold, it can be difficult to reverse it, with stricter enforcement and penalties leading to more ill will.
2. Improperly “Saved” Time Becomes Lost Time
Even if bypassing security measures never leads to an organization being hacked, fined for HIPAA violations, or some other obvious negative consequence, there are costs. While some staff members may save time by avoiding security steps, that often means other staff members get tied up trying to stop them. IT staff go from defending against outside threats to policing inside users.
We’ve seen organizations using a manual 2-factor authentication scheme (passwords to encrypted files were sent separately via phone call or text) where IT staff had to monitor all outgoing emails to make sure users weren’t simply mailing the codes. The overall loss of productivity in a situation where most of the time there was no problem was staggering.
3. Improperly Spent Security Time is Wasted Time
It’s also worth remembering that while protecting the organization is essential, it’s also important to subject security policies to a cost-benefit analysis. User time is often regarded as a free resource in the security world, which makes no sense when other workflow modifiers are rigorously evaluated for staff-time savings or expenditures during the buying process.
“If the cost is greater than the entire harm caused by the attack…then the advice doesn’t merely do more harm than good, it does more harm than the attack it addresses. For example, suppose some security advice reduces the risk of becoming a phishing victim by 50%. If phishing victimizes 0.37% of users per year…and each victim wastes 10 hours sorting it out, to be beneficial the daily effort of following the advice should be less than 0:0037 x 10=365 hours or 0:36 seconds per day. Clearly, a user who makes the effort to read URLs to identify phishing sites will spend more time than this. Thus the advice is, in expectation, doing more harm than good. But worse, the advice is doing more harm than phishing itself.” (Herley, 2009)
This certainly doesn’t mean that cybersecurity as a whole is wasted time, but it means that it must be efficient to actually be useful, even if your user base is unusually compliant and every person follows the rules.
4. Overcomplicated Security Can Increase Human Error
Beyond looking at the time users spend implementing security guidelines, it’s important to also consider the costs of human error with attempting (in good faith) to follow over-complicated rules. Certainly users will always make mistakes and IT staff will always have to help fix them, but the cost of user and IT staff time in the event of such a failure should also be considered in the equation.
If a simple change to a security policy maintains protection while reducing the number of users locked out, it can save critical time (and thus productivity).
5. Secure and Easy = More Secure
Your organization shouldn’t be put at risk by security compromised because it’s too much trouble. The most expensive, ironclad security checks are worthless if people walk around them rather than through them. In addition, staff time, effort, and morale is valuable, and should not be automatically considered “worth it” whenever security options are explored.
It’s time to start thinking about ease of use as part of all security solution assessments.
The best solutions to cultural insensitivity to security needs are to either a) give employees better reasons to follow the rules beyond saying “it’s company policy” or “you’ll get in trouble if you don’t” or b) make compliance easier than noncompliance.
Your users probably want to do the right thing. You need to make it as easy as possible so they aren’t tempted to take a shortcut.
Easy as Email, But Much More Secure
XMedius specializes in cutting-edge secure document exchange solutions that are intuitively designed for the perfect pairing of excellent security with ease of use.
XM Fax is an industry-leading Fax over IP (FoIP) solution that makes sending and receiving secure faxes as convenient as email, while dramatically reducing costs versus conventional fax and streamlining regulatory compliance.
XM SendSecure allows the safe, fast exchange of digital files in any format and sizes up to 5TB. This encrypted solution includes 2-factor authentication, ephemeral storage, optional double-encryption, automatic virus scanning, extensive recordkeeping of access & modifications, encrypted chat, and other security benefits.
Both products are available in on-premises or Cloud deployments (XM Fax is also available for Hybrid installs), enabling you to choose whatever suits your organization’s needs. Reach out to us to discuss how XMedius products can streamline workflows while better protecting your organization and simplifying compliance with GDPR, HIPAA, FERPA, SOX, and other regulations.
Blythe, J., Koppel, R., & Smith, S. W. (2013, September/October). Circumvention of Security: Good Users Do Bad Things. Systems Security, 80-83.
DTEX Systems. (2019, April 25). Insider Threat Intelligence Report. Retrieved from https://dtexsystems.com/2019-insider-threat-intelligence-report/
Herley, C. (2009). So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. New Security Paradigms Workshop 2009. Oxford: Association for Computing Machinery.