Do your workers to treat your information security controls as wishful thinking?

Do your workers to treat your information security controls as wishful thinking?

Flummoxed by why your people keep violating seemingly obvious personal security rules? It might be because broken processes and ineffective first-line management have conditioned your workers to treat company policies and security controls as little more than wishful thinking.

If you’re curious to learn how vulnerable your organisation is to a preventable, employee-triggered breach, go visit whatever passes for the production floor in your facility. Go where the line-level workers live and labour. Observe how they manage the requisition, storage, and cross-levelling of mission-essential office supplies. Odds are, the way your junior workers fight over pens and paper clips will tell you everything you need to know about your organisation’s dysfunctional culture.

This subject came to mind last Friday. My oldest dropped by after work with good news: one of the most despised junior managers in his section had just been sacked. He was elated; I recognized the name of his newest ex-colleague from months of his workplace horror stories. This manager had been the star of many a late-night gripe: she’d been instrumental in a cascade of failures that resulted in everyone in the facility getting assigned compulsory overtime and weekend duty throughout the summer … and she was finally given the boot. Huzzah!

Happy as I was to hear the news, I was intrigued by an offhand comment my oldest made as he described how he and his team had reacted to the news. As soon as they’d realized she was truly done for, his pack of blue- and white-collar workers pillaged her private office for all the supplies they could carry. He made it sound like a triumphant army sacking a defeated city.

“Why,” I asked, “did y’all feel the need to do that?”

“It’s so darned difficult to get office supplies in our building,” my oldest griped. “There’s only one person in the entire facility who orders and stocks what we need. If you ask him for something that he doesn’t have, he’ll promise to get it for you … and then he’ll forget.”

Everybody needs to vent about the crap that happens at work. It’s much safer to relate those stories to an outsider than it is to complain to your boss

The way my kid described it sounded typical: a single point of failure in the form of one unreliable clerk. Inadequate stock level management. Uncertainty, frustration, and delays. I asked him how he and his colleagues normally mitigate the problem.

“It’s a running battle,” he said. “The factory floor workers need pens, staples, and paper clips for all of the order paperwork they process. They can’t get any through supply guy, and they have access to our office, so they constantly swipe our pens and supplies when we’re not looking.”

I asked him how he deals with the constant drain on his resources and he gave me the exact answer I was expecting: “We regularly sally out onto the factory floor and steal our stuff back!”

If this strikes you as dysfunctional, you’re right: putting workers in conditions where they must choose between accomplishing their assigned work and following company rules as mutually-exclusive options is how workers become conditioned to treat all company policy and regulations as obstacles to be avoided rather than as rules to be obeyed.

Management’s failure to properly equip and supervise their workers creates the conditions that eventually lead to preventable security breaches. These might come through a propped-open security door, shared user credentials, duplicated physical keys … any number of user actions that the company has strictly forbidden … misbehaviours that line management has trained the workers to believe are both correct and necessary if the work is to be done on time.

Crazy boss standing on conference table with megaphone yelling at shocked employees.

This isn’t anything new and it’s not unique to my oldest’s employer. This sort of “do-as-I-do-not-as-the-rulebook-says” culture is universal. I experienced it in my first job out of university. As a technical writer, I edited pilot training manuals on a PC and forward the proofs to quality control. Our typing pool went through a ton of office supplies … almost all of which was covertly scavenged rather than procured.

Our greatest “win” in the battle to equip ourselves came a few months after I joined. One of our colleagues had just returned from a year-long posting in Japan to receive his redundancy notice. His “welcome home” lunch became his “going away” party. As soon as the bewildered jetsetter was escorted out of the building, the oldest fellow on our team picked the lock on the fired man’s office. We helped ourselves to everything we needed like adventurers looting a dungeon. We left the sacked fellow’s PC and personal effects alone in favour of his useable office supplies. I let the raid chief help himself to some nearly-new notepads while I filched a plastic template that fit over a PC’s function key row and listed all of the shortcuts for WordPerfect for DOS. That little strip of plastic must have saved me forty hours of wasted labour. Worth its weight in gold, that was …

Where was I? Dysfunctional cultures. Right. Sorry.

The problem we had in my clerical pool back in the day is the exact same problem vexing my oldest’s shipping office: for reasons beyond our ken, upper management had – deliberately, carelessly, or obliviously – created conditions where labourers were not only allowed but were actively encouraged to violate company policy regarding theft. The combination of get-it-done-by-any-means-necessary management and a crucial breakdown in basic logistics management left workers in an untenable position. Of course workers will do what’s necessary to stay employed.

London, UK – June 17th 2020: Ambulances parked up outside the Accident and Emergency department at St. Thomas Hospital in London, UK.

The trouble is, this disconnect conditions workers to perceive company rules as empty words. They learn that management obviously doesn’t believe any of the things they’ve “required” workers to follow. Policies are just something they show to the auditors every year so the bean counters will go away happy … Hopefully without stealing our pens in the process.

This is how behaviour-based breaches happen: once workers lose trust in company regulations, they’ll ignore the essential security controls mandated by those regulations. Simple as that.

How do you fix it? Simple enough: create and maintain the conditions required for workers to follow your company rules as-written. Hold line-level leaders accountable. Fix broken processes swiftly and quash informal work-arounds. Finally, never publish a rule that you’re not committed to enforce. Normal people, left to their own devices, will only follow a burdensome rule when (a) they can follow the rule, (b) they believe in the reasons requiring the rule, (c) they see everyone else following the rule, and (d) they see what management does when someone else violates the rule. You need all four conditions in-play for policies to be effective … and you need viable, reasonable policies in-play before people with better things to do will implement your burdensome and seemingly-unnecessary “critical” security controls.

Copyright Lyonsdown Limited 2021

Top Articles

The silent weapon: uncovering the threats of adversarial AI

Organisations concerned about rising threat levels from the criminal use of AI should consider deep learning as a defence

Addressing cyber-resilience gaps across key infrastructure assets

While no single security tactic will give you 100 per cent protection, there is a way to foster a defence-in-depth approach.

Will 5G Accelerate Cybercrime?

If you pay attention to such things, the press coverage of the ongoing roll-out of the 5G network in the UK has been dominated by two subjects.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]