The problem isn’t passwords; the problem is people and their security behaviours about passwords
Take what Tom, an employee, has to say as an example…
“Me? I’m useless at security. Last week we were told we’d got to update our passwords… again. I still haven’t done it. See the thing is I’ve just got used to the one I’ve got, and I can remember it now, and if I change it then I’m going to have to write it down somewhere, and we’ve been told we can’t do that. It’s not my fault I can’t remember. And no one else I know changes their password when they’re told. I mean, it’s not like me not changing my password is going to lead to some hacker getting in and bringing down the company – they’ve got to have bigger fish to fry! Anyway, it’s not really my problem; I’m not in charge of security and there should be a better system than relying on everyone to remember a password, shouldn’t there?”
And what seems like a simple instruction – change your password – opens a can of worms!
How many beliefs can you spot in that little speech that affect Tom’s ability to do the right thing?
There are beliefs about technology, about their self, about responsibility, about other colleagues, about hackers, about chance, about difficulty, about what you’re protecting, about responsibility…
I could go on.
BUT – and here’s the crux of it all – employees like this are voicing cultural beliefs that continually reinforce themselves in conversations and behaviours – and they stack up to stand in the way of even the most straightforward of secure actions being taken
To change security behaviours we need to change minds, to challenge beliefs – beliefs that are held by individuals and the culture at large.
To find out more and discover how you can get board buy-in for security culture change, so that speeches like Tom’s become a thing of the past…