I love the new TV show "Scorpion", which depicts extreme geniuses Walter O'Brien and his team solving high-risk crisis scenarios using nearly impossible solutions. As everyone should know, the real-life Walter O'Brien, whose high IQ and comparable achievements spawned the basis for the TV drama actually identified the brother terrorists who were behind the Boston Marathon bombing, according to CBS, Boston.
O'Brien comes by his intellect naturally. Enterprises are still searching for manmade means to effectively spawn higher Security IQs among employees whose risky behavior welcomes attacks right in the door.
How We Treat Low Security IQs Today
Whether you call it a low security IQ or a lack of awareness and discipline, employees make bad security choices. You can't get through a month now without hearing about another major corporate data breach. The kicker is that the low security IQs that adversely affect enterprise data also lead the enterprise.
The Ponemon Institute recently surveyed more than 1,000 international enterprise employees, mostly senior-level people, about risky security behavior. The results are an unsettling trip down corporate "Disturbia" lane.
According to the report, "Breaking Bad: The Risk of Insecure File Sharing", half of surveyed participants indicated that they don't know whether their enterprise can manage and control user access to sensitive data or how employees share and distribute data. Sixty-one percent of those surveyed in the same report say they often share files via unencrypted email, don't follow policies that dictate when to delete confidential documents, and accidentally send files to people who the company has not authorized to have or view them.
Perhaps the enterprise shouldn't promote those who click before they think, but being too harsh or expecting too much from employees does not help either. Taking a punitive approach to modifying risky employee behavior is a key challenge to success in raising security IQs. "A punitive approach leads to counter reactions where employees become disengaged and don't want to be forthcoming when there is a security issue," says Scott Greaux, Vice President of Product Management, PhishMe.
Equally oppressive is the tendency to overwhelm employees with too much information about security issues or with information they can't grasp. "You don't need to tell everyone everything or to have them be security experts. Simply make sure they understand the risks that they face," says Greaux.
Solutions for Raising Security IQs / What Does It Take?
To raise security IQs, security departments must be available, appreciative, and responsive as sounding boards for any security issues that an employee would even consider sharing. "For example, have a method by which users can forward a suspect email to a trusted party who can determine whether it is clean or malicious," says Rich Owen, CISO, American Traffic Solutions and Hall of Fame Member, the ISSA. These are opportunities to involve and engage employees, teach them, and help them sharpen their skills and judgment for spotting phishing and other attacks.
Sign up for Computerworld eNewsletters.