Training Users to Get Clueful about IT Security

Training Users to Get Clueful about IT Security

Everyone in IT wants employees to be educated about security —  if for no other reason than it’s a major pain to clean up the mess when the lesson doesn’t “take.” But judging by the number of security breaches and corporate data left unprotected, the message isn’t getting through. Really: IT has to take action. Here’s what I recommend.

According to a 2014 report from IBM, 95% percent of all security incidents involve human error. You’d think that users would know better, by now — but they don’t, because in many cases, nobody told them the right way to protect company data. Employees can’t respect policies they don’t know about; and if nobody tells them about a policy, what do you expect?

There are significant gaps in what companies are doing to educate the people who work for them (such as employees and contractors) in regard to general awareness and training. Research performed by Dimensional Research on behalf of Druva with a focus on data privacy protection, discovered that security and privacy policies don’t always make the transition from the theoretical to the practical. For example, even though nearly everyone among those 214 IT professionals said data privacy is a significant issue in the organization, just 61% of employees are asked to sign a data privacy agreement, 54% offer regular training, and 38% offer ad hoc education programs.

If two thirds of the employees aren’t told how to behave, how can you expect them to do so?

Users don’t think about security. Why should they?

Sometimes it seems that companies put their focus on technology rather than on internal education. For those of us who are sensitized to matters of security and privacy (and who quail at the consequences of their failure), our gut response is, How could that be?!

Technology is an enabler and an amplifier of human thought. When you know what you want to do, technology can help you do it faster, cheaper, smoother, more reliably. But no technology works well in the absence of thought and understanding.

In the real world: Business is business. Security and privacy are not the first things that people think about, because their daily responsibilities are “How do I make this sale?” and “I need to keep my project schedule on track.” Anything that helps the employee in his (and his team’s) endeavor is valued; anything that presents a barrier to that business goal is resented (at best) and worked-around (at worst). Including security policies. Especially security policies.

People go around security policies because, in their eyes, they need to get their jobs done. Without education, employees might not understand why things are the way they are, that there are good reasons for the policies the organization put in place.

Therefore, they think up a more “efficient” way to do things that sidesteps security. We see this in employees’ use of things like unauthorized corporate use of tools like DropBox and OneNote — despite the things that make IT squeal in horror — simply because they want to do their jobs. Nobody breaks the rules intentionally, with the aim of disrupting the organization or endangering anybody; they just thought it was an easier path.

So it’s IT’s role to change their minds — and not just by edict. IT needs employees to be partners in the process of protecting the company, its data, and its employees. That means that any kind of training (by whatever term) has to be in the direction of improving humans’  awareness of both goals and practices. IT has to consider tool and process usability that aligns with the way employees work.

If you think education is expensive, try ignorance.

Ultimately, we want to train users that cutting that (security) corner is not worth doing, that the risk is far greater than the temporary “reward.” Just as they would not drive through a Stop sign because they’re late for work.

There’s at least three stages in this effort:

  • Make employees aware of the issue (that is: Ignorance is curable).
  • Make employees agree to comply with the business policies whatever you think of them (Here’s the stick!).
  • Make employees buy into the reasons they should comply (Here’s the carrot!).

Ideally, you convince people to buy into your message. When they understand and agree with the purpose they’ll be better motivated to do the right thing, even in the absence of a formal policy for the specific instance.

Remember, too: Education works in more than one direction. It’s sometimes easy for IT to come up with security policies that make IT staff’s lives easier but which practically taunt users to disobey the rules. Don’t put policies in place — with tech to back it up — that keep people from doing their jobs.

Also, train people how to do things the right way, rather than waggle your finger at them about how they’re doing it wrong. That is: “Here’s how to share files securely” rather than, “If we catch you sharing files on a USB key there will be hell to pay!”

For a useful example, look at the training that companies of all sizes offer — require of! — employees for sexual harassment prevention training. Such training is required in some localities (such as in the state of California) and its goals and practices are surprisingly in-line with what we yearn for in IT security training:

  • Understanding what constitutes proper and improper behavior
  • Testing to affirm understanding
  • The effects if the behavior goes uncorrected
  • What to do if you see something being done wrong (whether or not it affects you personally)
  • Managerial responsibility and oversight; and
  • Tools or guidelines to help understand the proper processes for uncomfortable situations.

That’s a good model for IT security training. After all, in both realms, when people know what’s going on, 99% of the problem can go away. (“I never realized why that was wrong!”)  In security, often there isn’t policy training — until it’s too late. At some companies, the liability of a cyberattack is a lot higher than is a sexual harassment suit — but look at how much effort goes into training to prevent the latter risk.

Employees rely on their computers to help them accomplish something. Employees are motivated by their business goals — and tech is expected to enable it, not to get in its way. Approach security training with that thought in mind, and we’ll all win.

Get a free trial of Druva’s single dashboard for backup, availability, and governance, or find out more information by checking out these useful resources:


Esther Schindler

Esther Schindler, Druva's editor, has been writing for the tech press since 1992, and has been editor at industry publications since the late 90s. Her name is on the cover of about a dozen books, most recently The Complete Idiot's Guide to Twitter Marketing.

Esther quilts (with enthusiasm if little skill), is a top Amazon reviewer, and is an avid foodie. She works from her home in Scottsdale, Arizona, with one of two cats on her lap.

1 Comment

  1. Jack Cain 1 year ago

    Security breaches cost millions to clean up at best, and can put your company out of business at worst. In most metrics involving that kind of impact, C-level management defines bonuses built on meeting certain goals, or avoiding certain negative outcomes. Those bonuses, or lack thereof, work – that’s why they are used.

    People will pay attention to security when it impacts their wallet, and managers will push it only when they are being measured on compliance.

    However, careful how metrics are defined. Case in point: the VA debacle. Wait times went down, even if they had to remove vets to do it. I saw a help desk gain 100% compliance with an “answered on the first ring” metric by employing an automatic answering system that answered on the first ring, then immediately put the caller on hold for 10’s of minutes.

Leave a reply

Your email address will not be published. Required fields are marked *