Ask almost any cybersecurity expert in a big company about frustrations and you’ll hear one message: he or she is upset by employees. One day, the expert is dealing with people forgetting their passwords after vacation. Another day, he or she is encouraging HR to add more mandatory security training for new hires.
Suppose all this frustration was fundamentally misplaced. Instead of fighting against these natural human tendencies, you need to look for ways to make security easier.
How Good and Bad Habits Impact Cybersecurity
In his book “Atomic Habits,” James Clear lays out four laws of behavior change. These patterns underpin all our good habits, such as going to the gym and waking up early. The same habits also contribute to excessive snacking and social media addiction. In brief, here are the four laws:
- Law 1: Make It Obvious
- Law 2: Make It Attractive
- Law 3: Make It Easy
- Law 4: Make It Satisfying
The best part about these four laws is that it’s a great process to make a new behavior stick in the form of a habit.
What does this have to do with cybersecurity? Cybersecurity success requires constant attention to detail. Just imagine if you could make those activities “automatic.” That’s possible when using habits. By the way, scientific research suggests that 40% of our daily activities are done by habit. If your staff members have bad security habits, your security exposure is gradually getting worse every day.
Specifically, we find that “making it easy” is an underrated tactic to support cybersecurity. Too many cybersecurity efforts and programs fail because they’re intentionally trying to make security hard. In contrast, hackers and criminals are making security mistakes easy to make.
Optimizing Cybersecurity for Convenience
Use Clear’s model to make your cybersecurity easy for employees to manage. You may not be able to apply all four laws. Each law you implement makes success more likely, so do your best to choose which law you can implement now. By the way, we just used Law 3 of “make it easy” on you!
Break it down step by step.
Law 1: Make It Obvious
Policy: Use straightforward language about protecting the organization, employees, and customers. This also means that cybersecurity training should be easy to access. Work with HR to add it to your new employee onboarding process. When employees need help with cybersecurity, make it obvious how you can help them. For example, we’ve seen organizations put the IT help desk phone number on company monitors. That’s a simple way to make it obvious where to turn to get help when you need it.
Tip: Ask yourself how much time you spend explaining cybersecurity jargon. Look for ways to make security obvious by using metaphors.
Law 2: Make It Attractive
Making it attractive is tough. A straightforward user interface is one way to make security attractive. Yes, user experience (“UX”) makes a difference in cybersecurity processes. Likewise, critically examine each process and step employees are asked to go through. Where can you leverage design principles to make the work more attractive?
Law 3: Make It Easy
Making it easy is the core concept for convenience. For example, give employees the option to manage their passwords. If you force employees to call your helpdesk for a password reset, you’re adding unwanted friction to the whole process.
Law 4: Make It Satisfying
This law speaks to rewards.
You can make it satisfying by using incentives. For example, praise the departments that earn high completion rates for IT security activities such as access certification. Alternatively, you could harness the power of competition by circulating a “leaderboard” of which departments are performing well. With that approach, you’re harnessing the power of a will to win to improve cybersecurity.
Common Pitfalls When You Simplify Cybersecurity
Applying convenience to cybersecurity requires a new way of thinking. If you’re used to controls and risk avoidance, it’s going to be tough to adopt convenience. To sell this approach to your management team, use these tips to guide your thinking.
- Overcome objections (“That sounds like a gimmick!”)
This is an all-purpose objection to trying anything new. Point out how social media has become successful partly because of its habit-forming nature. Why not harness the same tendencies for defense? If this objection persists, you may need to look at other ways to improve cybersecurity. Can you improve your mobile app security? As you work to improve app security, you can look for ways to harness the laws to make security processes easy and attractive.
- Reduce security complexity
Do you ask your staff to remember a dozen passwords and user IDs? That’s not going to work. In essence, you’re fighting against two of the laws of behavior change: make it obvious and make it easy. The better way is to use a single sign-on software solution to make security convenient. Your staff will be able to use a single ID and password at work. Talk about making it easy!
- Provide peace of mind by eliminating inactive user accounts
Are you asking front-line managers to think of every contingency? That’s not making it easy or attractive. For example, when you ask every manager to think about inactive user accounts, you’re adding a burden. Instead, we recommend IT engaging human resources to detect inactive user accounts due to employee turnover and changes.
Resource: Do you have no idea how many inactive user accounts you have? We’ve got you covered: Stopping Inactive User Account Risk Fast.
Cybersecurity doesn’t have to be painfully difficult to be effective. Instead, you can make it easy for your staff. Don’t ask the manager to track user IDs for all staff members manually; use an access certification tool. Instead of asking staff to memorize a dozen passwords, leverage single sign-on so they only have to keep one password in mind.