Educating your users to be good digital citizens provides the myriad benefits of crowdsourced IT security, writes Curt Carver, CIO for the University of Alabama at Birmingham.
The creation of digital citizens, inside and outside the office, should be the top priority of organizational security professionals. Rather than pretending to deploy perfect defenses or engage in a classic game of security whack-a-mole, cultivating digital citizens is the real security currency of an organization.
So what is a digital citizen from an organizational security perspective? A digital citizen is a modern worker who can determine what is normal, what is abnormal, and knows what to do if something abnormal occurs. While this sounds simplistic, it is, in fact, quite difficult to implement. It requires a mix of proven and new techniques to nurture and develop a new breed of digital citizens.
How to Develop Digital Citizens
The development of digital citizens requires the appropriate mix of policy, technology, and education/awareness programs, both proven and new, with a greater focus on empowerment. You will still need traditional organizational policy and technical solutions – they do not go away. I am not proposing an end to security policies, anti-virus software, mobile device management, or security awareness programs. I am proposing the inclusion of digital citizens in the process of co-authoring security documents, and that those become living documents.
Each of these forms of guidance are not static and should have an FAQ component that clarifies and addresses emergent needs. The policies must be short and actionable from the digital citizen perspective. The same is true for technology and educational programs. Rather than trying to design the perfect security system from on high and in isolation, engage with and empower your digital citizens to co-create security solutions. If you do this the right way, digital citizens crowdsource the security environment to help identify cyber kill chain events and phases, and keep your security environment current and aligned with their needs and the threat environment. In this role, digital citizens serve as a force multiplier for security professionals.
For digital citizens to fulfil this role, they must be educated to understand the security environment. Training of users becomes more important while certain awareness activities wane in importance. For example, security posters and passive PowerPoint presentations on phishing attacks are not nearly as important or effective as active anti-phishing training or a report spam/attack button in the user’s email interface where they make a decision, take action, and see the results.
Such active, engaging educational experiences must become the norm. The difficulty of changing how digital citizens think and operate should not be underestimated and requires careful and consistent engagement. The learning should be active where possible, and enable digital citizens to accomplish their daily tasks more effectively. This requires some innovation and creativity. It is not enough to provide a secure solution – it must also provide the tools make it easy for digital citizens to accomplish their daily tasks and do what is right. Perfectly secure systems that are hard to implement by users are not perfect.
For some examples, let’s examine two new ideas implemented recently at our institution.
The Forgotten Password Problem
According to our password policy, eight-character passwords were required to be changed every quarter, frustrating users who had trouble remembering their latest password. 70-90% of help desk calls were related to the resetting of passwords and forgotten passwords. All of this was a very expensive occupational hobby that did not advance the enterprise.
So what did we do to empower our digital citizens while reducing their frustrations? We doubled the length of passwords from 8 characters to 15. Each increase in password length has an exponential effect on strengthening the password. We quadrupled the duration of passwords to one year, provided self-reset of passwords using text messages, and provided each user with modern password management software to select and remember their many passwords. The cumulative effect was more security, empowered and delighted customers, and cost savings through dramatically reduced help desk ticket calls.
Cheap and Easy Cloud Storage
Monthly, I receive an email from a major cloud storage provider who is not our storage partner that says something like “10,000 users within your email domain used us last month,” or “360,000 files were exchanged last month within your email domain using our services”. These messages indicated to me that the storage systems we were providing were too hard or expensive to use, so employees were registering their own storage accounts elsewhere using their work email addresses.
So, we moved to unlimited storage and deployed it for free in order to make it easy for digital citizens to do what is right. The solution is mobile-enabled so they can work securely whenever and wherever they want. Less secure and reliable central and shadow IT storage solutions pale compared to an unlimited, free, and secure cloud-based service. There is now a bright line between utilizing cloud storage safely and doing your own thing expensively, separately, and insecurely.
Other initiatives involve mixing old and new approaches to create digital citizens. We implemented a standard patch management system (old) across the university. We will gamify patch management with organizational leaders so that they compete for badges based on how patched their systems are (new) . We implemented second generation firewalls (old) and a five course sequence focused on cyber kill chains to create a new generation of security professionals who can leverage the full capabilities of these firewalls (new). Active anti-phishing training will augment a significant increase to the security budget focused on creating digital citizens.
The security world is evolving. While an appropriate mix of technology, policy, and educational approaches remain important, the real currency of an organization is its digital citizens. Developing these digital citizens who can determine what is normal, what is abnormal, and what to do when something abnormal occurs is the best security investment in today’s security environment. You only have to change how they think and act.
Add a Comment