Amy has her passwords written on a post-it note under her keyboard.
Brian keeps backups of important data on his personal pen drive.
Claire let David use her account – just for five minutes – while she went to make a cup of tea.
Stories like this are commonplace in every large organisation, and lead to the popular refrain that 'people are the weakest link' in cyber security. But users aren't breaking the rules because they're bad people, or because they want to annoy their managers, or make life difficult for security staff. They know full well that they're breaking the rules, and they usually feel bad about it. But in the vast majority of cases, people break the rules because they need to get the job done, and they're taking what seems at the time like the best option available to them.
Amy has to juggle ten long, complex passwords just to start her day, and password resets eat up valuable time that she can't spare. Brian has had records go missing one too many times due to programs crashing, losing important customer data and causing unsustainable delays. David only had five minutes between meetings, which wasn't long enough to log on to his own account – and Claire understands that if he hadn't printed that key document, the team would have looked bad in front of their director.
When your organisation's security policies and technical constraints conflict with core business requirements, your staff's willingness to bend or break the rules is often the only way to get work done.
That doesn't mean you shouldn't have any security policies, or that you shouldn't enforce them. But when users break the rules, they're trying to tell you something. The workarounds and 'fixes' that users settle on can identify problems with the status quo – and often point to quick interim solutions.
Amy is struggling to manage a large number of passwords, a common problem these days. The NCSC's Password Guidance recommends taking a wide-ranging approach to authentication. Is it really necessary to have that many passwords, or could some be replaced by PKI certificates, biometrics, or a physical token? In the short term, since Amy needs to write down her various passwords, you could give her some advice on where to safely store that all-important information away from prying eyes, and encourage her to put her efforts into memorising her most important primary login details.
Brian has to use legacy systems that regularly crash, losing important data. By maintaining a personal backup, he's creating additional information risk – he could lose that pen drive – but he's also adding a layer of resilience, mitigating a critical business risk. Although replacing legacy technology is a long, slow, and expensive road, in the meantime, you could make his life easier and reduce the risks by providing him with an official, encrypted USB stick.
David's problem is that logging in takes ages, and there might not even be a spare terminal when he needs one. Although his behaviour might seem harmless, if he was up to no good, there wouldn't be an audit trail. Claire has a normal, human wish to help her colleagues, and you don't want to undermine trust in the team by putting too much emphasis on the possibility of malicious insiders. But if David had a laptop or tablet to take to meetings, he could save time and trees by referring to electronic copies of important documents.
These simple examples illustrate some of the ways that your users are communicating their needs when they break the rules. Instead of running more awareness campaigns or insisting on increased compliance, is there a way you could change the environment to support your staff and get better business outcomes as well as better security?
Sociotechnical Security Researcher