Part four of a four-part series covering Ivanti’s latest research. Get the full series:

Big-picture excellence can hide pockets of risk. It’s time to explore security risk in detail — drilling down to look at vulnerabilities hidden in the data and by taking preventative action.

As the previous posts in this series have shown, employee demographics, their willingness to report security risks and country-to-country security culture differences pose hidden threats to your company’s cybersecurity efforts. They’re threats that have been uncovered in new research from Ivanti.

It’s up to an organization to take concrete steps to mitigate these threats. What are some of the key measures you can take?

Get the report: Hidden Threats: How workforce demographics impact your security posture

Survey your employees to uncover demographic propensities

Use an anonymous survey to surface insights about your employee base — paying close attention to demographic differences.

Are there unexpected findings? Conclusions that run counter to expectations? Use the findings to step up your training and outreach efforts, matching solutions to the segments of your employee base that need additional support.

Sample questions for an anonymous study of employee attitudes:

  • Can you identify a phishing attempt?
  • Have you been given resources and/or tools to identify a phishing attempt?
  • Do you feel comfortable asking the security team a question?
  • Do you feel safe reporting an error to the security team?
  • Do you think your actions have an impact on the organization’s security?

Challenge stereotypes about digital savviness and safety

Have your security team complete an anonymous survey that examines their assumptions about different employee groups. Do they believe older employees act less safely? How do those results compare to your general employee survey findings?

Try to shed light on assumptions that are not only unfair but untrue — and on how stereotypes might affect your security readiness.

“Part of understanding chronic repeat [phishing] clickers should involve a bit of investigation. In an organization of 5,000 people, it could be that there are certain roles that naturally encourage people to click even when your awareness program and other training discourages it. I’m thinking about departments that are constantly understaffed, departments whose job it is to process large amounts of email (e.g., recruiting), etc. Before anyone blames the end user, an organization should try to see if they are accidentally putting certain sets of users in no-win situations.”

- Reddit comment on why some employees are more likely to fall for phishing emails

Understand how global security culture is translated into local languages and culture

When developing any new training and guidelines or deploying new security technology, make certain to consult with local divisions to gain their input and buy-in. Simply translating educational materials and communications is not enough.

Solicit feedback from local offices about how well these programs “translate” to regional offices and the challenges they may encounter. Where possible, design materials that are culturally sensitive and appropriate for local offices.

Design the tech stack to minimize pockets of nonconformity and inconsistency

Rather than relying on individual users to conform to security protocols, build stronger back-end automation that is effectively hidden from end users — interventions that make compliance frictionless. For example:

  • Just-in-time software updates: Most employees don’t relish shutting down their computers and rebooting for software updates, so they tend to postpone the process indefinitely. Instead, use a system that forces a restart within 72 hours; this way, employees have some control over when the reboot takes place, even while enforcing needed updates.
  • No-stress password hygiene: Instead of asking employees to update passwords on a regular schedule, implement a technology that allows users to access two-factor password apps — no remembering or sticky notes needed.

Address how to build an open and welcoming security culture

It should be a culture in which there are no barriers to contacting security professionals, no matter how small the question or concern or how foolish the mistake is.

What are the key tenets of a strong security culture?

  • Open: Employees feel safe reporting an incident and are rewarded for their honesty and transparency. They feel comfortable approaching the security team no matter how trivial their question or concern may seem.
  • Iterative: The organization provides frequent, iterative training that’s compelling to employees. In between formal sessions, IT uses various tactics to keep security top of mind – from gamified security contests to lunchtime workshops.
  • Designed: Employee behavior is sharpened by tech-driven behavioral interventions. They are designed so well that they eliminate dreaded workarounds and non-compliance. As one security expert explained,

“Repeat clickers aren’t really the problem, or more accurately, they’re a relatively predictable problem. If you know someone has a hard time detecting deception, they need guardrails, not punitive measures or more ineffective training.”

Comment from the r/cybersecurity Reddit forum

  • Integrated: The responsibility for security is shared by all, and your employees are invested in keeping the organization safe.