One of the more compelling sections from our recent Reshaping Information Security MarketInsight study.  This section (broken into two parts due to length) is about the central issue companies face as it relates to the messaging technologies they deploy – how people use the technology available to them. 

End-user Behaviors

Another consistent point of view was the role the end-user plays (or doesn’t play) in ensuring proper procedures are followed and risks avoided.  One participant remarked “it is essential to protect employees from themselves.”  Maybe a bit alarmist, but the point remains that there is a huge need for and associated gap in training, awareness, and understanding.

Certainly it is unrealistic to expect every employee to think through every rule, policy, legal precedent, and applicable regulation before hitting the “send” button.  Because email is the clearest record of events, it prompted one participant to suggest a “Miranda Warning” for email in that anything you say can and will be held against you.

There is a challenge to define and draw the line between reasonable personal use and unauthorized or unacceptable use of corporate email.  Companies have approached this gray area in a variety of ways including providing education “early and often” hoping that repeating the message will “eventually change behavior” or even disabling access if routine training is not completed.  On-line programs are provided for security awareness training and those workers that are temporary or contract are required to take it more often than full time employees.

The key challenge here is that the solution must be designed for the least effective employee regardless of their employment status and we heard over and over that the higher up the chain of command you go, the worse the offenders can be – making leadership by example a key element to changing end-user behaviors.  As with any enforcement program, there must be consequences to breaking the rules and some organizations are reluctant to do this based on a specific person’s role or perceived importance.  Ultimately, people must own responsibility for their actions and although maybe most are not malicious they are certainly intentional – and many times without consequence which merely exacerbates the problem.