Ask Floh: How to build a good security culture at work
Too many “restrictive” security rules at work messing with your productivity?
Having a bad security culture is not only harmful to workflow, it can also be bad for security itself.
In this week’s Ask Floh, we take a look at what makes a security culture work well, why building a good workplace security culture is important, and three ways to make your security culture better.
A good security culture means that everyone owns security and everyone understands what the security risks are. That means no more sharing confidential information, proprietary trade secrets, or personally identifiable data like addresses and phone numbers in unencrypted email or team messaging apps. When you’ve got extra sensitive data, you need extra high security. Consider using an end-to-end encrypted messaging and cloud file storage solution like Peerio.
End-to-end encryption (E2EE) is one of the strongest forms of encryption out there. It’s also one most effective strategies for mitigating damage caused by hackers and data breaches. Even if you get hacked, your data stays indecipherable without your keys.
Alright, hello. Welcome back to Ask Floh. I am here with yet another security question. So today’s question is:
“Our IT won’t let us bring our own devices to work. I feel it’s just too strict and it messes with my productivity. We have so many restrictions. Our security culture is like a yoke around my neck. I get that we need security because human error, but is there some better way we can build a good security culture at work?”
Okay. Yeah, so security culture is really important. But I feel that too often you end up with a security culture that’s actually really detrimental to people’s ability to work, to people’s morale, and ultimately detrimental to security itself. So I don’t know what it is specifically that you’re struggling with, what it is that’s restrictive, maybe it’s, you know, really overwhelming firewall rules. Maybe it’s old machines. Maybe it’s an operating system you don’t like to use.There could be all kinds of things.
And ultimately, I think the issue with this kind of security culture is that when people feel so fenced in, and they’re just trying to, you know, finish that report, or whatever, they’re going to find ways around it. And ultimately, security is going to be compromised, no matter what because people aren’t going to follow the path that was laid out for them. They’re going to go outside of it to just do the thing they need to do. And that’s really natural and unfortunate.
But this is what happens when you create a culture like this. So what I would say is, that is good security culture is one in which the security choices are easy. They’re usable, they’re sort of the path you want to follow. Good security shepherds you in the direction of the more secure path and this seems to be not at all what’s happening in your company. So in the situation, there’s a few things that I would recommend that you do.
#1 Understand why
So the number one thing is you need to understand why these rules are in place. So I would encourage you, firstly to, to go talk to security and try to understand where these rules are coming from and what it is that they’re trying to protect against, you know, what is the data that’s trying to be protected? What are the things that security is worried about?
#2 Find an advocate
Number two, I would encourage you to find an advocate, maybe someone in management that understands how bad these security policies are for your ability to do your work and find other people, maybe on your team or on other teams that feel the same way so that you have a little bit of critical mass for saying, “Hey, this is not a good solution. And actually, it makes me less productive, and it also lowers my morale, it makes me frustrated.”
#3 Be a champion
Number three, I would say is basically to be a champion of security, but to really position it in a different way. As you know, I understand that these are the things that we want to protect. And these are some of the policies and these are some of the things that could help me be able to incorporate security best practices into my work. And this is what could contribute to me (and everyone else in the company) treating security as something we own.
And I think that’s really important in a good security culture. Everyone owns security and everyone understands what security means. So yeah, those are my three tips, I guess. And I wish you good luck. This sounds like a pretty challenging road ahead for you. But I’m glad that you’re thinking about it and doing the right thing.
Alright, see you next time. Take care.
You know what’s better than secure team communication? Nothing. Peerio gives you a super secure way to chat with your team, store and share files, all in one place. Every message and file stored and sent with Peerio is encrypted end-to-end by default. Learn more.