Seems like every week we hear a story blaming employees for being lax about security. They have bad passwords or they fall for phishing scams. They do all kinds of things that compromise your company’s security position, but here’s the thing. You shouldn’t be blaming only your employees, when they are using the systems and policies you’ve put in place.
It’s easy to see employees as the weak link, but that’s not how you should look at it. They shouldn’t bear the sole responsibility when it comes to security. The systems they use should be inherently secure (to the extent possible) and should something slip through, it’s ultimately your fault because you put bad systems in place, or you didn’t train them well enough.
Employees should not have to worry about security any more than they wonder about how their applications work. They just know when they open up an application, it’s going to do the job as intended.
If one of those applications breaks down, are you going to blame the user or the developer or firm who runs the service? Of course you wouldn’t blame your users. Whatever happened was clearly beyond their control. Using the service didn’t break it, something in the service itself did.
By the same token, there is no reason to blame your employees if something goes wrong with your security. Individuals can in fact be weak links, but it’s up to the company or the service providers they hire to put up guard rails to make it hard for the employee to go outside the guidelines and make the organization insecure.
Set up the systems
A few years ago a friend of mine was working at a large financial services organization. He was trying to fill out an application for a line of credit with his bank, and he decided to email it to himself to finish at home. When he tried to send it, the system flagged it because it had personally identifiable information (PII) in it, specifically his social security number, and it wouldn’t let him do it.
As you can see, this company had set up a system to save its employees from transmitting sensitive customer data outside the company. In this case, they were saving my friend from himself, but the idea wasn’t to make it easy for him to send his own PII to his home email. It was to save the company from an unintended data breach.
That’s how all security should work, whether it’s preventing an employee from exposing information they shouldn’t or using a bad password. While some people are going to blow through your warning systems, for the most part, if you set up systems to guide your users and provide training to better equip them, instead of blaming them, you are going to prevent most problems before they happen. And if bad things happen, keep analyzing your systems and policies instead of pointing the finger at your employees. In most cases, they’re just using the tools you gave them.
Photo credit: KieferPix / Shutterstock
Photo credit: Pixabay by PublicDomainPictures. Used under CC0 license.
