Security behaviour is often put forward as the reaction of staff members when a security decision must be made, often bringing in the personality of the people and collective group in question. The personality generally has two main strands revolving around workplace behaviour and personal behaviour, when you then take the situation and environment into account you form the basis of their security behaviour.
The level of controls implemented in Information Security varies greatly in the Small, Medium sized Enterprises (SME) sector. A range of criteria is used by each business to justify their information security needs (if any) and the level of implementation ranges from literally nothing to comprehensive, layered approaches of policies, processes and implementation.
Recently most SME’s i have encountered don’t have a dedicated budget towards information security, along with the lack of an IT department/dedicated staff. When i first started in the IT sector my approach taken revolved around the technical aspects – a typical scenario would be out of date hardware and software forming vulnerabilities and that X amount of money would resolve the issue. These were technical solutions put in place to resolve a perceived risk to the business, all this reinforces to a small business is how IT is a cost centre, how they put more money in and get nothing back from it from their perspective.
Experience has taught me this approach doesn’t work as often the technical details were overlooked and often wrote off or dismissed as an acceptable risk due to the cost. Windows 95 on the network unsupported but with all their financial data on and no backups? Acceptable. Over time it became more apparent that the “don’t fix it if it isn’t broken” attitude often applies to technology except where financial or other business benefits could be gained from investment in new technology/software.
Through those initial experiences and periods of learning i started taking a different and more successful approach building Information Security into the day to day running of the business via their purchases. Recommending products which are user friendly, secure, well supported, with excellent reporting capabilities for non-technical people often forms a bigger driver for information security as a by-product of the business development. They no longer see a wifi purchase – instead they see a way to analyse guests, what they visit, charge them for guest access etc.
The most blatant example of this is windows XP, which by now is really showing its age, yet we still have them in service; we still get the calls of “its slow” and the retort to our pleas to upgrade is usually “but its worked fine for years”. The security benefits alone are tremendous to the business in upgrading to a more recent, and therefore supported version. In some sense – they are right – it has worked for years without issue, but they aren’t really going to take in the security benefits when in reality all they want are practical benefits such as more speed, more applications, more mail in outlook. This is where up-selling the positive benefits such as solid states drives (press the button and be ready to work in seconds), faster network transfer speeds (SMB3), or other such benefits we take for granted and as the norm seals the deal for the end user/decision maker.
Often the reality of being able to monitor their systems through the “Beautification” of data with systems such as the Meraki line (now Cisco Meraki), OpenDNS, and various other third parties has driven the business to invest, and therefore improve their security standing as a positive fallout of improving their reports and business data.
Longer term – the systems we push as administrators and consultants will dictate the security stance these businesses take, skimping on these solutions with unfriendly or unwieldy solutions where a technical skill-set is required to get tangible information out turns the grassy knoll into a minefield further down the road. The underlying security behaviour of the business has a next positive by using (and abusing) the personality and the culture of the business to drive the growth we so desperately need in this day and age.