The second part of the post on End User Behaviors from our MarketInsight report.

End-user Behaviors (continued)

The topic of training came up repeatedly whether we were talking about encryption and how its proper use relies on end-user training or that, at a high-level, it makes a lot more sense to educate people than to react to incidents once they have occurred.  There was general agreement that expenditures on technology could actually be less with proper (re)training programs in place to provide constant education and build awareness.

There is a deep down expectation of privacy that most, if not all, employees have about their corporate email even though none exists.  Most companies allow “reasonable personal use” but struggle with how to define it or where to draw the line, but many participants admitted that even they did the things they were telling people not to do – underscoring the difficulty in solving the problem and that this is not just about technology but people.

Providing immediate feedback to the user is one way to create awareness and to change behaviors.  When providing feedback, the wording of the message can prove to be difficult to nail down requiring much iteration with corporate legal departments.  In one case, a log-in banner was rewritten due to the welcoming tone of the message and was interpreted to be “too welcoming” and that it might construed as inviting unauthorized users on to the network. 

Other forms of awareness building included “email awareness emails” (the irony of which is apparent) and one company cited how they provided people cell phone reminder cards showing employees how much a cell phone could cost above and beyond a land line.  This simple awareness program reduced cell phone expenditures by some 25%!

Awareness and education were certainly viewed as the best possible avenues to address the people aspects of email usage however as one CISO pointed out the next generation of workers will enter the workplace with mobile phone, their own laptops, etc. and a certain sense of “entitlement” to intellectual property as they grew up with freeware/shareware and limited to no concern for copyrights or information protection. 

No matter what, an effective information security program for email will rely on the employees and their awareness as key ingredient in changing culture and behaviors.  As another participant summed up, “everybody speeds” but we “have to teach them” about the limitations and risks as smart people will continue to find workarounds if safeguards are perceived to be barriers placed in their way.

One of the more compelling sections from our recent Reshaping Information Security MarketInsight study.  This section (broken into two parts due to length) is about the central issue companies face as it relates to the messaging technologies they deploy – how people use the technology available to them. 

End-user Behaviors

Another consistent point of view was the role the end-user plays (or doesn’t play) in ensuring proper procedures are followed and risks avoided.  One participant remarked “it is essential to protect employees from themselves.”  Maybe a bit alarmist, but the point remains that there is a huge need for and associated gap in training, awareness, and understanding.

Certainly it is unrealistic to expect every employee to think through every rule, policy, legal precedent, and applicable regulation before hitting the “send” button.  Because email is the clearest record of events, it prompted one participant to suggest a “Miranda Warning” for email in that anything you say can and will be held against you.

There is a challenge to define and draw the line between reasonable personal use and unauthorized or unacceptable use of corporate email.  Companies have approached this gray area in a variety of ways including providing education “early and often” hoping that repeating the message will “eventually change behavior” or even disabling access if routine training is not completed.  On-line programs are provided for security awareness training and those workers that are temporary or contract are required to take it more often than full time employees.

The key challenge here is that the solution must be designed for the least effective employee regardless of their employment status and we heard over and over that the higher up the chain of command you go, the worse the offenders can be – making leadership by example a key element to changing end-user behaviors.  As with any enforcement program, there must be consequences to breaking the rules and some organizations are reluctant to do this based on a specific person’s role or perceived importance.  Ultimately, people must own responsibility for their actions and although maybe most are not malicious they are certainly intentional – and many times without consequence which merely exacerbates the problem.

I just finished reading The Influentials by Jon Berry.  This is another book that I was reading for some time and managed to put to bed on my flight to Boston.  Great read.  It is heavily referenced in Applebee’s America and is a required reading (I believe) for anyone claiming marketing chops these days. 

Understand that the market is heavily driven by these types of people – whether you are selling a candidate, a product, or a service.  Read and learn.  One of the things that really stuck in my mind (in addition to more than enough stats) was the desire of this group for a high pace, high peace lifestyle.

When they are on, they are on.  When they are off, they seek "peace" time just as aggressively. 

Good analogy in this book about being a water stop on a road race.  Give them what they need, when they need it, then get the hell out of the way.