Memes and Security Culture

Memes and Security Culture

“Oh no. Not again!” is a cry heard regularly around my office these days, and when it’s heard, its met with laughter and a slew of replies which can best be described as entertaining — Another unsuspecting victim… of an unlocked computer.

Hi All,

Just wanted to let everyone know I have changed the strategic direction of the cloud team. We are now an on premises infrastructure team only. No cloud. Cloud is dead.

Long live on-prem..

Kind regards,
<Cloud Lead>

The landscape of Information Security within organisations has changed significantly over the past 20 years, and even more so in the past 10 years with the rapid expansion and prevalence of malware and ransomware. Even more prevalent is the increase in both frequency and impact of data breaches. The simplest of which can occur simply by an unlocked computer left unattended.

Now it’s obvious that in a small organisation in particular, with known entities throughout, the chance of malicious use of an unlocked computer is negligible; nevertheless the need to endow robust and meaningful IT security policies is paramount. Strong firewalls, and enforced password complexity will only take you so far. Physical security will always remain a critical element to the security construct.

When a colleague leaves a PC unattended to visit the toilet, or to talk to a colleague, it’s considered to be safe by the person leaving it so; however due diligence tells us that no matter where the PC is, it should be locked when unattended. This is especially so in a Managed Services, external customer-facing organisation, where customer data may be present or a connection established to a customer site. The diligent colleague will lock the PC for the person, and maybe fire off a courteous email reminding them to lock the computer when absent; seldom will this drive behaviour change.

Instead; consider this. A wittily crafted email, with no malicious intent, but with perhaps a subtle friendly jab at the person; or their role? Obviously something in good taste, especially where its known the target can take a joke; sent to a known group of like-minded friendlies, or for smaller companies where the culture is very closely-knit, an “All Staff” email.

Hi All,

I have been here at <company> a while now and I feel like I have been pretty boring while being <manager>’s new Office Pet. So with that in mind I would like to take you all to <local bar> tonight and buy you all drinks so I can get to know you all a lot better and maybe get some tips on a better haircut.

Kind regards,

Now, all the staff are aware that said person has left their computer unlocked; and will be roundly and playfully ridiculed. There’s no malice in it, and everyone involved knows it’s all in jest; but the lesson is drummed home, and seldom will they leave their computer unlocked again. And best yet, they are now a player in the game; constantly on the look out for unlocked computers and lax colleagues.

The gamification of IT Security is a roundly underutilised approach, but one that should be more readily employed for many aspects of IT Security.

If the goal is to drive home behaviour change, I have yet to find a better approach.

Pro tips:

  • Some companies will frown heavily upon this approach. Before undertaking some clandestine email sniping, verify that you aren’t breaching any HR protocols or policies.
  • Don’t make it personal; Don’t take the opportunity to needlessly be mean or callous; it’s both counter-productive, and just a jerk thing to do. Don’t do it.
  • Build allies: Once you get the reputation as “that guy”, colleagues will be quick to point out unlocked PCs. This will come in handy for the next pro tip.
  • Keep a scoreboard: it will help point out the offenders of lax IT security, and aid further in the gamification of the IT Security policy.
  • Make sure when you are jumping up to snipe someone's computer, you lock yours first. The only thing worse than getting sniped, is to be counter-sniped.

In my office, and in several other workplaces I've frequented, I’ve seen a significant drop in unlocked computers once these games become prevalent. And one thing I didn’t expect to see; the concept of IT security is brought forward in the consciousness of my colleagues. This pleasantly surprised me, in that seeing IT security being actively considered in more and more decisions as a direct result of a simple office game was very unexpected, but without question a positive outcome to the entire endeavour.

Try it yourself in your workplace, and let me know how it goes. Did you see a conscious improvement in security culture?