Although most people are savvy to Nigerian princes requesting banking PIN numbers so they can transfer their millions into accounts, generally most of us default to a trust mode when using emails or services from the Internet. We seem to implicitly trust people on the Internet we have never met before, which by itself is a strange phenomenon worthy of further study.
Blue Coat's own Global Cyber Security Survey, conducted by independent research firm Vanson Bourne, found that employee behaviour is a real and present danger. Though CSOs may baulk at the idea, the study found a fifth of employees will open an email from an unverified source. Nearly 2 in 5 use social media for personal reasons at work, exposing them to malware and encrypted traffic exploits. More than half use personal devices for work.
You would assume then that the message coming from IT teams is simply not getting through. But that's not quite the case. Blue Coat's study found that 73 per cent of employees knew that opening an email attachment from an unverified source was a business risk (and those categorised as IT decision-makers are no better).
Australian employees were among the lowest offenders of using new applications without IT's permission (only 14 per cent had) yet the threat remains.
Simply banning social media, shadow IT and personal devices is impossible and ineffective. There are benefits to them too - social media can actually raise worker productivity and unsanctioned IT make good business sense to employees who seek to be as efficient, productive and collaborative as possible.
If employees are aware of security risks, but take them anyway, it indicates the message is getting through, but is not effective. So maybe the message or our actions are wrong.
For too long CISOs and their teams have been seen as disciplinarians. A strict master who issues rules of what employees shouldn't be doing. Sadly, many are perceived as an obstacle to doing business, a hurdle to be overcome, or worse, bypassed.
Effective CISOs know how to make the case for good security practises appealing to busy employees, balancing security with employee productivity. In short, implementing effective usable security measures that are understood by non IT people in the business.
Fortunately for CISOs, the damage done by security breaches on major companies is increasingly in the spotlight, raising the awareness at both the board and executive management level, providing an ideal environment to address the challenges. Too often this simply translates into "how much will it cost me to be secure" rather than a shift in thinking towards an organisation with a mature and capable risk culture.
Real-world examples of breaches are plentiful and so are the losses suffered by businesses. Harnessing these examples and demonstrating the business impact in real terms can be an effective method of education, awareness of the challenges and a need to build a risk management culture in the business.
Sign up for CIO Asia eNewsletters.