In the world of cyber security, we have reached the point where we feel the need to codify security behavior by telling people what to do and what not to do. But sometimes I wonder if security policy should rely on a much simpler approach—the notion that people already have a sense of right and wrong and should be encouraged to use their best judgment.
Certainly, security policies are complex. There are many of them and they are scattered around all over the place. But so is the law. And when was the last time you had to pick up a law book to know what’s right or wrong? In most societies, the law stems from basic commandments. Most of us have those principles drilled into us from when we are young. So we might not know specific laws, but we have a sense of right and wrong.
When I grew up in Glasgow, Scotland, my mother would use a phrase that would drive me insane. When she’d tell me I couldn’t do something I wanted to do and I’d ask why, she would say “that’s not the done thing.” I’d always wonder what this “done thing” was. The done thing was, of course, what was normal for society to do.
It seems like we sometimes forget that people have a sense of right and wrong when it comes to behavior in the workplace. One well-known exception is retail giant Nordstrom which, up until several years ago, used a 3 by 5-inch card as its “employee handbook.” It listed “Rule #1: Use your best judgment in all situations. There will be no other rules.” There was another paragraph inviting employees to ask their managers questions at any time. (Nordstrom still urges employees to use their best judgment but does now hand out a more detailed handbook with rules and legal requirements.)
I think in the IT world we can draw on the same idea: that people can use their understanding of basic rules and responsibilities to help guide their secure behavior. Of course, those judgments are only as good as the information they have, so our challenge in our Global Security Office is to raise general awareness about security issues. If people don’t know there’s a credible information security threat, they can be making a risky decision with the best intentions.
Beyond our security awareness campaigns though, I thought it might be a good idea to come up with a few simple rules—“done” and “not done” things, if you will—around IT security to help users behave in a responsible manner without having to understand every aspect of our security policies.
• Don’t give information to people who shouldn’t have access to it. It seems like a pretty natural rule. We all learn as individuals that some secrets need to be kept. We can’t give out all information to everyone. So if that person doesn’t have a good reason to have that information or isn’t authorized to receive it, we shouldn’t give it to them—whether it’s an electronic record or on paper or any other form of information.
• Lock things up when you aren’t using them. We learn as children to lock doors; it’s a basic tenet of security given the threats out in the world. So if we’re not using our computers or we’re not using that data we’re logged into, lock it up to prevent the wrong people from accessing it.
• Treat other peoples’ data the way you’d like them to treat your own. Borrowing yet another phrase from my dear mother, I should treat others the way I would like to be treated myself. It is a concept that I think we are all pretty comfortable with and one that can be easily extended to IT security. If I give someone my social security number, or other personal information—I have an expectation that they’re going to protect that data and it won’t end up on the Internet. When customers give us information, we need to safeguard it, to treat it like it was our own and make sure we don’t violate their confidentiality.
• Beware of Murphy’s Law; if something can go wrong, it will. Going back to my childhood again, the one time I would decide to do something bad—like sneaking that one cigarette as a teen— is the one time I would always get caught. The one time you maybe put something on your laptop that you shouldn’t is probably the one time it gets stolen. So don’t put yourself in a position to be a victim.
• If it doesn’t feel right, don’t do it or at least check with someone before you do. We all have enough awareness of cyber security to understand when something doesn’t feel right. So before you put a document on a USB drive, ask yourself how it’s going to feel if you lose it on the way home and somebody picks it up. Should you do that or does emailing it to your home address feel right?
• If you wouldn’t want people to know what you’re doing, don’t do it. If you are doing something that you wouldn’t want people to be aware of publicly, should you still do it? The same question rings true for IT security.
It’s like speeding. I know if I speed I’m probably not going to get caught, but that doesn’t mean it’s okay to speed. We should slow down for the right reasons—because we don’t want to harm anyone—and not because we don’t want to get a ticket. GSO won’t catch everyone who goes on an unsecure site or does something risky, nor do we want to. The fear of getting caught isn’t the right reason.
Hopefully, these few simple rules will help reinforce your IT users’ sense of right and wrong when it comes to IT security without requiring them to remember the details of specific policies. Of course, if users are interested in getting as immersed in security as I do, that’s fine too. But, like Nordstrom, I also have faith in IT customers’ ability to use their best judgment when policy details aren’t their biggest day-to-day focus.