What People Do v. Cybersecurity Rules

 

You know you shouldn't plug your device into some rando port. Why not? Because you sat through dozens of cybersecurity training sessions, or you read something somewhere, or someone told you something. 

There wouldn't have been training if there were no problem to avoid, right?

And now you're on vacation, and you're sitting in a tour bus looking at your device's low battery warning...and...oh, just this one time...

Humans are really good at not following rules. It's part of what makes us human. And bad actors know this, and exploit our tendencies against us.

And now you're on vacation, and you're sitting in a tour bus looking at your device's low battery warning...and...oh, just this one time...

Cybersecurity is about balancing authorized systems access with blocking unauthorized systems access. Behavioral cybersecurity is the most important part of cybersecurity because people still click on the spam/ransomwear link, or plug their devices into rando ports while on holiday. 

Suppose you manage a tour bus company. Let's stipulate that you don't have a cybersecurity risk mitigation plan. But you want to have a de minimus level of customer (and business) protection. What does behavioral cybersecurity have to teach us about the situation in this picture? 

1. Create secure systems, not security rules. Oh sure security rules are important but your process needs to account for saving people from themselves to the extent that it's possible to do so -- assuming their misdeeds are not poorly intentioned. (Active insider threats are a different topic.)

2. Identify weaknesses in your cybersecurity systems, and upgrade security around those systems. Does the tour bus company know whether their buses or systems are compromised? And, do they care?

3. Upgrade, upgrade, upgrade. The tour bus company is not trying to steal people's data or compromise their devices. But other actors might want those data and use the bus company's systems as a platform. Because it's just a tour bus company, the most simple and free thing they can do is upgrade their own systems: basic IT Security 101 says, keep your browser or operating system current. And that goes for travelers, also.

Managers of businesses at any scale: you cannot prevent people from ignoring the cybersecurity rules. But you can identify potential weaknesses in your systems, you can create systems that incorporate the rules in their operations, and you could verify that your systems are at least current.

People are more likely to follow the rules more of the time when there is some benefit made clear to them for having done so or when it's easier to follow the rules than to ignore them. As a manager, focusing on creating even more rules is counter-productive; if you value cybersecurity, make it in people's best interest to comply with the least bother when doing so.

Pythia Cyber can help you assess whether you're focusing on rules or systems. Don't lose your balance. And, enjoy the ride!