Maksim Kabakou - Fotolia

Security Think Tank: Let’s call time on inciting fear among users

The traditional picture of a hacker is of a script kiddie in a hoodie hunched over a computer keyboard, but this stereotype is stale and outdated. Is it time to move away from a fear-based approach to security?

Traditionally, business users are not directly engaged with day-to-day IT security activities and are therefore not briefed on why security is important both to them and the enterprise overall. As a result, IT security is often widely regarded as an “IT problem”.

The security industry has tried to address this in different ways, including blaming end-users for incidents (which results in people not reporting anything to avoid getting into trouble), and forcing security on employees with complicated solutions (which leads to users finding innovative workarounds in order to carry out the activities required to do their job).

The “hoodie hacker” was born from the idea of adopting imagery that would resonate with people and dissuade them from carrying out activities that put the organisation at risk.

However, as with the tactic of blaming end-users, this approach can also incite fear. Any errors, however small, are believed to result in an event occurring that is disproportionately “bad”. This is potentially counterproductive – in making IT security frightening, confusing and obscure, the temptation is to ignore it. Someone in finance, for example, might feel they have no power to stop a hacker.

When searching for a solution to this conundrum, it is important to remember that crime in general is not new. The vast majority of cyber crime is rooted in traditional illegal activities that have been occurring since the beginning of the human race.  Even “modern” cyber attacks, such as the oft-quoted Nigerian prince scam, can be traced back to the 1700s and the last Anglo-Spanish war.

In general, people understand crime. Leaving a car unlocked means it is more likely to get stolen. Letting random people into the house can increase the chance of being robbed. Locking the doors of the house but leaving windows open gives burglars an easy route in. But there is a disconnect when it comes to translating these events into their cyber equivalents – failure to use passwords and responding to phishing attacks, for example.

Tailored tools and communication

IT professionals therefore need to understand the audience and their different motivations, and adopt ways to communicate messages and information to which these “non-IT” teams can relate, such as talking in terms of business risk and using scenarios that are already familiar. The executive is unlikely to be interested in arguments framed around too many users having privileged access within an application – but they will care that that entire business could be disrupted if definitive action is not taken.

If bringing organisational threat to life via the script kiddie image works, then it’s an effective tool in the fight against cyber crime. But it’s not the only one. Other people may relate better if different types of cyber attack are likened to the more traditional forms of crime that are familiar to them.

Equally, a carrot approach can be highly motivational, such as showing users that they are already being secure by using strong passwords and highlighting that being cyber safe is easier than they think.

Substantiating the threat to the business is also a useful way to help end-users understand why security is important. Appreciation of the problem will help to increase cyber awareness and trigger a more diligent response from the wider teams.

Where knowledge is missing, tailored training that addresses specific weaknesses should be undertaken.

Employees are as important as the IT security team in preventing and spotting actual and potential breaches. They need to know this and be reminded regularly. Constantly vigilant personnel equates to a human firewall. This needs to be reinforced with a process for reporting issues that is simple and, ideally, anonymous.

At the same time, rather than putting textbook controls in place that stop users working effectively, IT professionals should coordinate with business departments to understand how they need to work, and then ensure that is both secure and practical.

Tackling the omnipresent cyber security challenge is as much a cultural issue as a technical one. Forging stronger links between the business and IT can only happen with senior sponsorship and “top down” example-setting.

The script kiddie image can be useful in the right circumstances. But, as we move into a world where everyone within the enterprise is responsible for security, the barriers that have crept up over the past decade need to be dismantled. In their place, ways of working that foster knowledge, understanding and collaboration – rather than fear – need to be adopted.

Read more on Security policy and user awareness