How to Improve Employee Compliance with Security Policies

By most accounts, employees are the weakest link when it comes to enterprise cybersecurity. After all, many of the largest attacks on businesses in recent years have been the result of employee behavior, such as opening a phishing email or downloading infected software. In fact, evidence indicates that about 90 percent of all data breaches and other security breaches came from phishing emails, which continue to be an effective method for hackers wishing to gain access to corporate networks.

The fact that this continues to be an issue has many IT experts scratching their heads. They spend a great deal of time and money investing in network security solutions, employee training and monitoring — and still employee behavior causes problems. Clearly there is a breakdown somewhere, and all signs seem to point to employee compliance with company policies and procedures.

Understanding Why Employees Ignore the Rules

The first key to getting employees to follow IT best practices and company policies is to understand why they ignore them in the first place. In many cases, the problems boil down to a few key factors.

  1. They don’t know or understand the rules. While surveys show that most employees do have at least some knowledge of their company’s cybersecurity policies, they don’t always know everything, or they have to use their best judgment on things when the rules aren’t clear. Often, policies are too complex, training hasn’t covered everything they need to know, or training hasn’t taken place in years. In short, IT hasn’t done their job to adequately present the risks and explain how to avoid them.
  2. The rules make it hard to get work done. In many cases, IT policies make it difficult for employees to efficiently get their work done. The result is a rise in shadow IT, or the use of unapproved or unsecured services and apps that do make it possible to be more productive. Many people simply don’t have the time to wait for IT to find and roll out the solutions — or workers assume that the response to their requests will be no — that they find a workaround for themselves that creates risk.
  3. The rules aren’t enforced. All it takes is for one person to “get away” with something to open the door to other employees walking right through it. When the rules aren’t consistently enforced (or enforced at all) and there aren’t any consequences for breaking them, then people are going to take advantage. It’s just human nature.

Improving Compliance

Given that most people think that IT security rules are too cumbersome or unclear, and that no one cares anyway, clearly any efforts to improve compliance need to focus on simplifying and enforcing the rules.

To this end, you can improve compliance by:

Keeping the rules simple. Password policies are often too complex to work, for example, and many employees find workarounds to make it easier to remember their credentials. In fact, the U.S. National Institute of Standards and Technology (NIST) recently revised their recommendation regarding passwords, doing away with rules about changing frequently and using complex passwords and recommending solutions like password managers and multi-factor authentication instead. Regardless of the rules, avoid long, drawn-out explanations and directives; instead condense the information to a simple directive and instructions. This way, the information is easier to retain and adhere to.

Offer ongoing, personalized training. Security training isn’t something that can be done once and never addressed again. Threats change all the time, and expecting the average person to keep up with them all is unrealistic. Security training should be an annual event at minimum, and use entertaining, relevant examples that create a culture of security, not a culture of “no.” Everyone should understand why security matters and how it can affect them and their jobs. When people see how they can be personally affected by security breaches, they are more likely to comply with the rules.

Use teachable moments. When employees make mistakes — and they will — use them as teachable moments. Show how phishing messages are effective, offer guidance on how to use different services safely, and explain the risks and what to do instead. This can help contribute to better enforcement and help people understand what they need to do to stay within the boundaries.

Improve IT-employee relationships. In many companies, IT is viewed as an adversary rather than a partner. When employees don’t feel comfortable asking for help or reporting incidents, security breakdowns happen. IT should work on building relationships with different department and working on understanding how everyone works and what they need. Doing so opens the lines of communication, which can improve compliance.

When employees comply with IT security policies, they can be an additional line of defense against incidents. Instead of simply tightening the rules, take time to understand why non-compliance is happening, and adjust your approach to encourage more people to follow them. Ultimately, your organization will be safer and more secure.

Ryan Kh