How to create a company culture that cares about information security?

Question

Hardened Servers, IPS, firewalls and all kinds of defenses cannot solve security problems if people leak information without knowing simply because they're misguided.

I already tried to instruct them but they simply don't care, they cannot see themselves as an important part of our intrusion prevention system.

The company deals with sensitive information, but they prefer not to think about it. Our policies are one of the best I have ever seen, but no one follows them except the security team.

What should I do? Should I throw in their faces the logs of how many attacks my team is dealing with because employees bypass all the security?

If my team fails the telecommunication system of my country can be completely affected. I thought it was a motivation to take care of security, but no one cares except us because it's our job.

Has someone already dealt with a situation like this? Should I give up?

Answer 1

High Level Culture

In my experience, shifting a security culture takes 3 steps:

1. Get management buy-in to do things differently
2. Get personal management engagement to lead the way on what is important
3. Set the tone through training, media, and in-person events that "people like us do things like this"

Here's the thing: management has to be leading the charge on this, with help with the security champions. Management has to want, and encourage, the technical controls to apply to themselves. If management gets special conditions, game over.

Get a manager, the higher up, the better, to personally and publically express their desire to participate in a properly secure environment. Get them to express the frustrations and inconveniences, too. But also communicate that the inconveniences are important for the health of the company.

"I grumble on the mornings when I'm prompted to change my password. I think, I changed it just [1|3] months ago! But, I know that when I do, I'm cutting off a hacker's route to using my credentials to harm me and this company"

[yes, I am aware of the controversy about frequent password changes, but roll with the example for a second]

Then, once you have this great foundation, then start bringing that message to the personal level to everyone.

Teach Them to Secure Themselves

It can be easy for people to see company policy as disconnected from reality (have you filled in your TPS reports?). So pushing hard on company security can be a losing battle. Instead, consider teaching people how to secure themselves and their families. Show how hackers have and do compromise home computers and mobile devices. By doing this, you get them to really see the dangers involved. Once you have this buy-in, then it is much easier to shift the focus to dangers at work.

Get Some Teeth

If everyone is getting along with the policies, then that's great, but you need to have some worst-case consequences for people who do not comply. This is a tricky subject and you need to work with HR, GRC, and management to make this work.

Answer 2

Think of your users as customers. You are helping them meet their business requirements to secure data. That means it's your job to keep the requirements placed on them as sensible, justified and limited as possible. It's UX engineering.

Examples:

• if you make it hard to get a proper login on a system, workgroups will share passwords on post-its or whiteboards.

• 'security theatre' will reduce trust in the concept that precautions are necessary (making people have 20 character passwords changed weekly just to read the corporate Intranet).

• if the WW2 German Army couldn't make its operators follow security instructions (like changing Enigma rotor settings frequently), and given they could shoot people for disobedience, what chance have you got with mere hectoring?

Answer 3

This is a really difficult issue, but if you have the chance to change things, you should give it all you've got.

You can't change a culture overnight. However, there are steps you can take to begin changing the culture for the better.

---

Policy enforcement

This is first on my list. I'm in full agreement here that you need to enforce security policies, and discipline those who don't follow them. That includes everyone from top to bottom.

Would you rather endanger the company by letting those who continue to screw up repeatedly... well, continue to screw up repeatedly? Don't expose your company to unnecessary dangers.

People who are dishonest in little things are dishonest in bigger things, and aren't worth the time it takes to discipline them. These folks are at the top of my termination recommendation list. Anyone who is honest about what they did wrong would be suspended at worst, unless they keep making the same mistakes over and over again.

If someone has a disagreement, give them a place to voice their opinion, but don't just roll over for them. Gently explain why... some users need to know why, it's just how they think. Those users almost always ask questions about why they should do something. Be prepared to teach them.

If someone refuses to follow security policies, you need to find employees who will. It's really that simple.

---

However, ain't nobody got time for a giant list of rules

I'm of the opinion that having too many rules is detrimental to those doing their job. That's why you should have a few specific rules for everyone, and then create role-specific rules.

Bobby in accounting is not customer-facing. I don't need to teach him about buffer overflows, SQL injections, xss, csrf, whatever. Cathy down in Finance doesn't need to know about server hardening techniques.

Buff Markalo in engineering definitely needs to know, though. And he has to understand the policies he's being taught.

---

Make training easy to digest, and simple to understand

You need to know your audience before even starting, or you're doomed before you start.

Remember, examples are SUPER helpful to make people understand what they're reading. I'm going to list a few super basic topics to help you get started. Feel free to add to them, but don't make it overbearing.

1. Developers.
   • Make it platform-specific, and give platform-specific examples.
   • You can make it short and simple. You can even develop easily-digestible videos that are only around 5 minutes long for each of the OWASP Top 10 vulnerabilities.
   • .gitignore, not storing the wrong stuff on GitHub, etc.
   • Anything relevant to your environment.
2. Customer-facing employees
   • No to credit card storage, or you're fired.
   • Dos and donts.
3. Everyone
   • Explanation of phishing / whaling / social engineering, and how they work.
   • Anything relevant to their role. Customer-facing? Don't touch cardholder data in any way.
   • Don't share your passwords / accounts
   • Don't set up unauthorized resources (servers, virtual machines, etc).
4. Sys Admins
   • Proper hardening procedures
   • Urgency of upgrading vulnerable components
   • Anything relevant to their environment.

And always update every time you find an issue that didn't exist before. You'll never get everything, but you can get most.

---

New hire security orientation

This goes without saying. You need to ensure all hires undergo security orientation. If you make a digestible learning package that assumes everyone has a short attention span, you'll have much better success than 2+ hour videos of security with some guy droning on in a serious voice. I don't even want to watch that crap.

---

Quiz them

You'll need to see if they actually understand what they're learning. Make everyone take a yearly quiz, and don't allow those who fail to continue working unless they pass.

Reinforcement quizzes, and general competency quizzes help too.

Don't forget to know your target audience. If your target audience likes immature humor, use that in the quizzes.

---

Hunt down security issues, and confront those who cause them

Have a hunter? Have them hunt down the security issues on your own network(s), and explain them in depth to the teams responsible for these holes. Document everything they did wrong, and approach them and tell them it needs to be fixed.

If they refuse to fix or change, see the Policy enforcement above.

Don't believe anything users tell you. Always verify what they're saying. Honest people are the easiest people to work with in the world. Dishonest people create far more problems than they help with.

---

Recap

1. Policy Enforcement
2. No overbearing rules. Don't prevent people from getting their jobs done.
3. Make it easy to digest, and simple to understand. KISS works really good.
4. New hire security orientation.
5. Quiz them.
6. Hunt down security issues and confront those who create them.

Over time, people will change. It's sometimes an uphill battle, but one worth fighting for.

Answer 4

I'll take little detour and answer the question implied by this part:

but they simply don't care

@shroeder's answer already covers the starting point which is to have the management on your side. And teaching people how to secure themselves is a very good take on how to perform the indoctrination, but I'll extend it. Let's ask how you can motivate the employees of the company to be more aware of security.

In general, regarding changing work habits, you will encounter three kinds of people. By providing incentives to each type, you will increase your chances of successful implementation of a culture of security. You may encounter:

1. The career man: Most often represented by middle managers or project managers. Their focus is on documenting their capabilities, and you shall explore that. Provide the security training for them in official sessions with completion certificates.

   A certificate means little in terms of actual knowledge, but you can perform an examination to actually give out the certificates. You can make them study, by themselves.

2. The geek: Technical staff, operations staff (depending on the company), and often other staff members that may be trying to evolve their career. Their focus is curiosity. To a geek, you can show an example of debugging a piece of malware or explaining a buffer overflow and from there extend the policies you want to implement. Give them curious facts and then link them repeatedly to the company security.

3. The drone: Some people just do not want to change. They simply want to be told every detail of what they need to do, and never do more than that. They can be found at every place and level within a company. And there is no magic rule here, you need to make them face consequences if they do not comply with the policies. Often you need to enforce these consequences very ruthlessly to make sure that other drones adapt to them.

Answer 5

This is a difficult situation to remedy if you're already set up to have an antagonistic relationship with the other departments.

There are going to be a whole mess of assumptions in this answer. These are just some thoughts based off of my own experiences. YMMV.

Driving cultural change is hard, and most typically you will need to change several groups to care about Security differently:

• Security department:
  • Will need to get Security to care less about Security for Security's sake.
  • Informed "acceptable risk" discussions may need to happen. There will be times when Product will take precedence.
  • Stop presenting a culture of "no".
  • Make it easy to test for "basic" security compliance. (Incorporate security testing in CI/CD pipelines, for instance.)
• Development teams:
  • You will need to convince other teams to consider Security up-front, as a core product feature.
  • It will need to be a continual consideration; time needs to be allocated up-front on a recurring basis (sprint, week, month, etc) to evaluate platform / framework / plugin versions for security patches. Make it a relatively small amount of time, but make sure that say 4 person-hours every sprint is pre-allocated for hygiene.
• Systems/Operations
  • Remind them that you're there to help them. (Stick and Carrot doesn't work if you don't have a carrot.)
  • Work with Systems/Ops to automate security patching, compliance reporting.
  • That takes time, so do your best to not surprise them with a slap-down notice without heads-up if possible. Sys/Ops teams don't appreciate getting thrown under a bus when, say, a Security review report goes to executive leadership.
  • Help them to incorporate security testing with Operational monitoring
  • For instance, they may have a https monitor that goes off before the cert expires, but they are less likely to have one for weak ciphers.

Finally, there's a lot of insight to be gained from Ben Hughes' DevOpsDaysMSP 2014 talk "Handmade Security at Etsy", where he discusses this very topic.

Answer 6

Okay, you should only try this if NOTHING ELSE WORKS. You have been warned.
Here's the thing, humans often won't realize the importance of something until they lose it, the same way that people don't start taking backups of data until they first lose something important to hardware failure.

Showing them how many attacks you prevented won't help. They'd just get even more sure that you can withstand any attack. What you need is a successful attack. Or at least make it look like one got successful.

So... On a holiday or something, pretend that your network was targeted and compromised. Make it convincing. Take the network drives offline for an hour or two. And then say that you managed to recover everything, but the attacked was caused because someone left important confidential credentials lying around or their account logged in on a public PC. If this doesn't work, nothing else will. I once did this to my team, and trust me, they lost all their carelessness. The shock of having possibly lost the project that they'd been working on for months made them really serious about security.

However, there are a few things that you should keep in mind:

• Your boss/seniors should know about this staged attack. Tell them that this is the only way to protect the organization from a serious attack later in the future. BUT TELL THEM. You really don't want to get fired because you tried to teach someone the importance of being careful with their passwords.

• Your colleagues might not react well if they realize that the whole incident was staged. Please think before disclosing this to them. My team understood why I did this. Your's may not.

PLEASE THINK A LOT BEFORE GOING AHEAD WITH THIS.

Answer 7

The problem you're describing also applies to drug and bomb sniffing dogs.

It doesn't matter how much you yell at them and threaten them, drug and bomb sniffing dogs can lose interest very quickly if they can't find what they're looking for despite all the work they're doing.

That's why the trainer needs to constantly hide fake drugs or fake bombs to keep the dog engaged in its activity. And yes, the trainer will use treats initially, to associate with finding something, and to reinforce the reward, but what ultimately keeps the dog engaged is the element of play and the idea that the dog is looking for something that is very likely to be found (even if the found object has to be faked most of the time to keep the dog interested).

This is why your company should implement a regular regimen of penetration testing and social engineering attacks, and then regularly review its results afterward with everyone involved. There is really no substitute for this kind of thing.

The fact is, your servers may be getting hammered by port scanners all the time, but that doesn't matter to your executives or your receptionists. What they need to see is actual attacks that affect them, or that they haven't thought about, and the best way to do that is to attempt those attacks on them in the environment that they're used to.

This also lifts the burden of social awkwardness when confronting or blocking someone of perceived higher or equal authority. At my workplace, we had a strict policy of not letting anyone we didn't know follow us through the door after we used our RFID card to enter. But of course, the college interns and the night janitors would never demand the credentials of someone who appears like (s)he could be working there. For them to do something like that, they needed to think there was a reasonable chance that it was test or a drill, since the actual probability that it's a bad guy/gal was actually very low comparatively speaking.

And please don't think that I am just blaming janitors and interns, they're not the only one who may break protocol just because they're too nice, or because they're going for the most convenient solutions. Employees, executives, and many others will do the same thing.

Answer 8

The biggest security problem is actually the user pool.

No security can defeat user stupidity (like clicking on a script received by a random e-mail).

What you need to do:

• present the risks to management

• present examples of bad things that happened

• present a countermeasures plan (technical)

• request to have rules that are mandatory for everyone and enforce your security policy (create one if you do not have already)

• request a penalty system to be created for those proven to break the rules several times

• make the management organize training with the users - this is the most important - training must contain everything from more complex security issues that can be prevented by user compliance to simple what not to do list (i.e. do not click links in e-mails)

Answer 9

Simplicity & Consistency

The security policies need to be easy for people to follow. Many organisations have policies that do not reflect reality, are self-contradictory, and that people need to break to do their job. The solution is to make policies simple and to accept feedback from users.

Enforcement should be consistent. If some people break policies and nothing happens, this encourages others. Use technology to enforce policies as far as possible, relying on individual users as a security control should be a last resort. Also, the best way to stop people leaking information is to not give it to them in the first place.

Others have mentioned needing an enforcement "stick" for people who don't comply. I think that is counter-productive and discourages people from talking openly.

Classification

You need to work out which bits of your operation are critical. Everything in business is important to some extent, but some bits are "regular important" and other bits are "super critical".

The super critical bits you need to have very strong controls for. And the regular bits you have controls that are a balance between security and usability.

I think a lot of problems in Corporate security are the failure to do this. The security department try to get the whole company to work to the "super critical" level - which isn't realistic.

Answer 10

Show the WHY

There are already very good answers to this but allow me to contribute this little detail:

To get your users on your side show them WHY all these policy requirements are vital!

Here is a very basic example: Give them examples of how quick bad passwords can be exploited.