We are making users scapegoats for our failings

Jayson Street, VP of infosec at SphereNY. (Photograph by Devin Armstrong)

---

We are looking to technology to solve 'people' problems, but we are not looking to people to solve technology problems.

So said Jayson Street, VP of infosec at SphereNY, during his keynote address this morning at ITWeb Security Summit 2018, at Vodacom World in Midrand.

"We are making human users scapegoats for our failings."

He said dealing with users is a hard problem, but you can patch humans. "It's called education. It's called continuing education. Every Tuesday, on 'Patch Tuesday', organisations patch their servers. Why aren't we doing something to patch users and keep them informed?"

Boxes of technology are not going to solve everything, added Street. "Technology isn't always the answer. It's going to help mitigate some problems, but that's it. We need to look at the human layer."

Street said organisations have all the technology needed to tell the user there's a problem. "The technology works fine. But you still have a human that clicks on yes or no."

He noted it is important to remember that humans will accomplish the tasks required of them to stay employed. Period. "We say they don't know any better. Not so. They will do everything required of them, and no more. We have not made it necessary for them to follow security practices."

The big problem is, we are not teaching security like it's a requirement, says Jayson Street, SphereNY

The big problem is, we are not teaching security like it's a requirement. "During orientation, businesses are leaving out the most crucial aspect. From day one, part of their job should be being part of the security team. They need to act like it. They need to be responsible for it."

One of their tasks should be to secure their computer, to do critical thinking when opening an e-mail. "If it's not part of their job, they won't do it. Educate users and show them they are part of the security team, and that there are real world consequences should there be an infraction."

How do we engage users to be part of the process and not part of the problem? Street recommends making it personal. "Teach them how to secure their WiFi at home and adjust their privacy settings for social media, or parental controls. They don't care about your data, but they do care about themselves. This will make them more security conscious. It will bleed over into work.

"Or 'gamify' security. Offer rewards and incentives to users. For example, offer a prize of say $5 000 each quarter to one individual who reports a suspicious activity or person. Your price is fixed, but the amount of users will vary. Use that as an incentive. Trust me, once again they still don't care about your data, but they do care about the reward. The more times they report something suspicious, the more times they will be entered into the draw."

Finally, he said businesses need to build a rapport between security and the users. "We need to show that we are there to help them. That's our job. The users are our clients. By giving them a secure environment, we are making the company profitable."

Security is seen as a hindrance, as slowing things down, as implementing rules, he commented.

"The dialogue needs to change. We must show them why these policies are in place. Give them a reason. How we communicate is important."