Nic Sarginson, principal solutions engineer at Yubico, identifies the three most dangerous types of internal users to be aware of, and how IT teams can address them
In the aftermath of a cyber security breach, as IT teams begin the process of understanding how the breach happened, they are likely to have a ‘suspects list’ of internal users. These users typically fall into three categories – the cautious users, the traditionalists, and the overachievers. These are the three most dangerous users that organisations need to understand and prepare for.
None of these users intentionally place the company in danger, but their unintended mistakes can have devastating consequences. Though IT teams will have security strategies in place, these strategies cannot take a one size fits all approach. When addressing all users about changes to security practices, communication is key. However, each user group and their concerns must be addressed with different approaches to ensure that security is accessible to all within the organisation.
Cautious users are willing to comply with new protocol changes, but just need some time to fully adjust. They may need more gentle encouragement than the typical user, as they take more of a “wait-and-see” approach to new cyber security changes. This may be due to fear that any changes could disrupt their workflow. This can pose a serious risk as vulnerabilities are more exposed during major changes to security. Timing is critical during such events, and any security gaps left exposed for too long are more susceptible to cyber threats.
These users may ignore cyber training sessions, emails from IT, or avoid learning new authentication processes – seeing these as unnecessary. Traditionalist users are generally hostile to change and often do not trust IT help desks, thinking that the processes for asking for help are too time consuming. Because they do not engage with understanding how these new changes will directly impact their everyday workloads, some may either wait until the last minute before integrating the new security changes, or resist altogether.
The risk to cyber security is clear, as this resistance to any or all security changes is a breach just waiting to happen. Without proper training, users are left vulnerable to opening suspicious emails and accidentally allowing malware to enter into the organisation’s IT environment, for example.
These users may unintentionally cause issues by taking IT security into their own hands, and may feel they are too advanced to need help. Like traditionalists, overachievers may ignore cyber training sessions, emails from IT, or avoid learning new authentication processes – seeing these as below their skill level. However, this group of users is often overlooked when an assessment is performed, as through their own experiences, they may feel that the resources within the organisation are not adequate.
Being overachievers, they feel frustrated when IT help desks ask lower-level questions when trying to follow up or are not prompt enough to respond to their requests for help. This can lead these users to take it upon themselves to ‘fix’ the problem, for example, mistakenly downloading viruses or malicious software posing as a credible IT resource. Although unintentional, such mistakes may weaken the overall cyber security boundaries and undo, or go against, the new security policies their IT teams were wanting to implement.
Communicating with all users
When approaching all users, explaining the ease of use of the new security changes and how they can actually improve their daily tasks is most helpful with getting them on board. Processes that are easy to integrate into existing workloads will cause a lot less resistance during and following upgrades. This can be done through either an in-person meeting, video training session, or – for more cautious users – a personalised email providing a step-by-step walkthrough of the technology.
Any method of delivery should include an explanation of why the security is important and how to use it. If done correctly and giving notice within a reasonable amount of time will provide the encouragement these users need to implement the changes.
When addressing users like overachievers, who do not often ask for help, IT teams must proactively reach out to them with enough time to go through any questions or concerns they could have. The same can apply to more challenging users such as traditionalists, who are motivated by direct team-level or more senior-level communication to gently get the message across along with consistent repetition. However, it is important to note that this may not be as effective with traditionalists if relayed by someone they are not familiar with, or from the IT help desk. Overall, to actively engage all users in security strategies, organisations must develop plans to suit their users’ individual needs.