The 'human firewall' and the burden of securing your organization
Whether you regard your colleagues as Layer 8 "issues" in your own OSI stack, or as a human firewall which should be able to recognize and act on inbound threats, like everything else in organizations that execute well, getting your general employee population on-board with your information security goals is ultimately a matter of culture.
And the strongest security cultures are those where each and every employee fully understands that they are on the front lines. They are extended members, and the early warning system, for your core team in the security operations center (SOC).
Make it easy for your colleagues to express concern about something they’ve seen or experienced. We are all familiar with the guidance, "If you see something, say something" that we often encounter when traveling on public transportation. Rather than defaulting to the common practice of developing and publishing a complicated policy which details multiple steps the employee must follow when they encounter suspicious activity, make it a simple and natural step to report it. Reducing the friction will pay dividends.
Carefully consider how that concerned employee can reach your information security team directly via phone and chat. Providing multiple channels to ask for help increases the chances that the employee will use one of them. An employee who finds it too hard to fill out your helpdesk form to open a ticket may be an employee who decides it’s just not worth the time to disrupt their day to follow proper protocols.
There is also significant value in explaining the "Why" at the same time you are mandating the "How." Attack vectors that are obvious to you as a security professional may not be clear or even visible to someone who doesn't live and breathe security every day. Make it real by treating your employees as the whole people they are, with advice and ideas that can help them not only during corporate hours while interacting with corporate assets, but also at home.
As an example, explaining and demonstrating why password reuse is so risky is one great place to start. A story where you lay out the steps needed to compromise a single account, and how that can directly lead to compromises in ten other accounts, might just be something your general employee population has not taken the time to consider. Recommending a password manager (and supporting it through your helpdesk) is an investment that will easily pay for itself, even over the short-term.
And here’s a final thought for you to consider. Characterizing your employees as "the human firewall" is an analogy that can fail along the same lines as the legacy perimeter-based security model has failed. The legacy firewall which secured your perimeter was assumed to be an impenetrable defense control, and it clearly is not. And your employees shouldn’t carry the burden of being security controls expected to never make a mistake.
Treat your fellow employees as valued members of your extended security team, and not "problems" that your SOC must stamp out daily.
Ben Smith is Field Chief Technology Officer with NetWitness, an RSA business. He brings more than 25 years’ experience in the information security, risk management, networking and telecommunications industries; his prior employers include UUNET, CSC, and the US Government, along with several technology startups. Smith holds industry certifications in information security (CCISO, CISSP), risk management (CRISC), and privacy (CIPT).