Technical Controls as a Driver of Cyber Culture
Forced technical controls, if integrated appropriately into an organization’s culture, can dramatically increase cyber defense capabilities as well as combat employees’ inherent resistance to change.
This article was originally published in December 2021.
Introduction: What are Forced Technical Controls?
Most sophisticated cybersecurity organizations have embraced technical controls as a management mechanism. Some organizations have even begun mandating their adoption. Forced technical controls, if integrated appropriately into the culture, can dramatically increase cyber defense capabilities as well as combat employees’ inherent resistance to change. While proactively initiating change may seem counterintuitive to creating a strong culture, when implemented correctly such a policy underpins and enables the desired behaviors. Required change is efficient and direct, providing employees with less ambiguity and faster results. Forced technical controls, such as Multi-Factor Authentication or Password Managers, paired with an optimized use of employee cyber awareness training can reduce organizational security risk exposure.
The easiest way to conceptualize forced technical controls is to break it down into two parts: ‘forced’ and ‘technical controls.’ Let’s start with ‘forced.’ At face value, the word implies employees may be coerced to act or work in a manner with which they may disagree. However, the concept is actually quite common in organizations. Simply put, ‘forced’ requirements refer to any controls put in place by the organization that employees must fulfill in order to maintain employment status. During employee onboarding, employees are asked to install cybersecurity software and use approved email addresses. Other examples include submitting timesheets, signing Non-Disclosure Agreements (NDA). In short, every organization has policies and procedures that employees are expected to comply with as a requirement of employment.
‘Technical Controls’ are most often hardware or software that is used to safeguard against bad actors or outcomes. These too, are commonplace across organizations, but they might not be as prevalent in the day-to-day lives of each and every employee. An example of a technical control most organizations have is a firewall, which monitors and filters incoming and outgoing network traffic.
Joining the terms together we have ‘Forced Technical Controls’ or requirements of employment to safeguard against bad actors or outcomes. When applying a cybersecurity lens to this definition, forced technical controls can include any cyber security best practice that the organization chooses to implement as a formal policy or procedure. Effectively, they are controls put in place to protect both employees and organizations from the errors that most commonly result in data breaches. In addition, they are controls that affect employees mid-stream rather than at the onboarding phase. Organizations can leverage such controls to strengthen their cybersecurity posture, alter employee behavior, and reduce the risk of human error.
Forced Technical Controls Combat Change Resistance with Minimal Time and Costs
Cybersecurity organizations have a responsibility in protecting the information and assets across each function of the business. Despite that responsibility, the budget for security functions sits at about 10% of the IT budget for most organizations. (1) While 10% of the budget may seem reasonable, it is becoming more challenging for several reasons. First being, the cost of developing up-to-date and effective security education materials has reached an all-time record for large enterprises — $290,033 per year, which accounts for time and effort employees put into the preparation and delivery of security training. (2)
Not only does this preparation of this material take significant time and effort, it also takes time away from revenue-generating work as all employees sit through training, which is not accounted for in the value above. However, with limited costs also come challenges with employee sentiment.
When implementing forced technical controls, it is important to understand and anticipate employee sentiment to the pending organizational change. Researchers have named this resistance phenomenon: change resistance theory. In short, innovation resistance among employees is defined as behavior resulting from rational thinking and decision-making regarding innovation because of potential changes that may affect the existing status quo or beliefs. (3)
Introducing Forced Technical Controls is a great first step to strengthening cybersecurity culture in an effective, cost- and time-efficient manner. Furthermore, NIST suggests that the first round of technical controls chosen for implementation should be simple, with little disruption to day-to-day work activities, to allow employees to acclimate to the changes. Through the gradual introduction of technical controls, organizations launch an effective cybersecurity posture. In addition, this opens opportunities for expanding the program in the future, depending on KPIs that gauge both employee satisfaction with the cybersecurity program and overall cybersecurity knowledge.
Forced Technical Controls Remove Organizational Weak Links
Over the past year, the rapid increase in hybrid work environments, resulting from the COVID-19 pandemic, has been cause for great concern among many cybersecurity departments. The quick transition resulted in little-to-no time to pressure test new policies and procedures, and required organizations to be reactive rather than proactive. Coupled with reduced oversight into employee security behaviors and fewer opportunities for real-time feedback or training, organizations are seeing more and more predictable human errors. While strong password hygiene may seem obvious to cybersecurity professionals, research suggests that, despite greatly increased cybersecurity support and investment, there is a lot of room for improvement. A study conducted by
Figure 2: Shows the three risks to company security that employees face in their typical everyday routine.
a Harris Poll found that 24% of password users still leverage basic passwords such as qwerty, 123456, or password123. (4) In another study conducted by Logmein, it was found that employees reuse their passwords an average of 13 times. (5) The actions in both examples are avoidable and could be made obsolete through forced technical controls that are readily available. To address this concern, organizations should consider introducing Password Managers as one of the forced technical controls. Password managers are an effective and simple technical control that have proved effective at organizations. They allow employees the ability to create more complex passwords that don’t need to be remembered; the passwords will be stored within the password manager software. What this means for users is that each and every one of their passwords can be different and complex, without the burden of remembering dozens of unique passwords. With less than half of the companies in the world instituting password managers, there is opportunity to introduce Password Management as a solution to human error and predictability in password choice. (6)
Another forced technical control organizations should include is Multi-Factor Authentication (MFA). MFA requires users to have multiple types of authentication such as a password (something you know) and secondary approval from a different device or account (something you have), to gain access. A LastPass study found that only 57% of companies use MFA when it comes to securing businesses. (7) MFA is a great first-step to implement during a cultural change to a secure organization because it is a control available in products most organizations are already using, G-suite and Microsoft Office and is promoted to protect against 99.9% of automated attacks. (8) These MFA technologies are included in the package companies purchase for these systems, meaning there is no additional cost associated.
As organizations look to enhance their cybersecurity practices, it is important to remember that employees may be their weakest links but they are also their most valuable asset. Maintaining employee buy-in and support, especially when it comes to security training, is difficult. To combat resistance, organizations should focus on the low effort, higher reward mentality that Password Managers and MFA provide — the upfront effort for employees is of great value to the organization as a whole and does not place a heavy burden on the employees. (9) In many instances, Forced Technical Controls are viewed by employees as less burdensome than lengthy security training and are often easier to visualize the downstream organizational impacts. Not only will this quell any frustrations employees may have from security training, but it will also provide some comfort to security teams knowing that technology can be used as an aid to secure the daily routines of employees.
Implementing Forced Technical Controls
Cultural Change is difficult both for organizations and employees. Employees often have a steep learning curve, and organizational leadership has to be willing to work with them through that time of change. For organizations, there needs to be a defined strategy for how the implementation will take effect. For a successful transformational change, there need to be desired outcomes, an integration plan, and continued feedback from those affected by the change. For employees, they need to be aware of the changes through effective communication, they need time to adjust, and need to feel heard. Forced technical controls are an effective way organizations can increase their culture of security. It is, however, a transformation that will require work. Organizations need to be prepared for initial pushback from their employees. Despite that pushback, benefits greatly outweigh drawbacks. When implemented correctly, forced technical controls provide a more secure cyber foundation for the organization, reduce time and energy spent on security training, and can even improve employee perspectives on the importance of cybersecurity awareness. Through thoughtful implementation, organizations will take their cybersecurity cultures to the next level with forced technical controls.
Figure 3: Shows the risks and associated mitigation strategies to implementing three technical controls: strong passwords, MFA, and Password Managers
ABOUT THE AUTHORS
Christa Zubic (christa.zubic@dayblink.com) is a Consultant within DayBlink’s Organization & People Center of Excellence and is based in the Vienna, VA office.
Michael Morgenstern (michael.morgenstern@dayblink.com) is a Partner within DayBlink’s Cybersecurity Group.
CONTRIBUTORS
Steven Schmitz is a Senior Consultant within DayBlink’s Cybersecurity Group and is based in the Vienna, VA office.
Nick Suarez is a former Consultant within DayBlink’s Cybersecurity Group and is based in the Vienna, VA office.
References
(1)“Cybersecurity Budgets Explained” https://triadanet.com/cyber-security-budget-calculator/. Accessed 28 November, 2021.
(2) “Cost of User Security Training Tops $290K Per Year” https://www.infosecurity-magazine.com/news/cost-of-user-security-training/ Accessed 28 November, 2021.
(3) “Puneet Kaur, Amandeep Dhir, Naveen Singh, Ganesh Sahu, An innovation resistance theory perspective on mobile payment solutions, Journal of Retailing and Consumer Services, Volume 55,2020,102059, ISSN 0969–6989, https://doi.org/10.1016/j.jretconser.2020.102059.
(4) “The United States of P@ssw0rd$” https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/PasswordCheckup-HarrisPoll-InfographicFINAL.pdf Accessed 28 November 2021. 10
(5) “Impressive Password Statistics to Know in 2021” https://hostingtribunal.com/blog/password-stats/#gref Accessed 15 November 2021.
(6) “The 2020 State of Password and Authentication Security Behaviors Report” https://mms.businesswire.com/media/20200219005336/en/773763/5/191522-Ponemon-Infographic-2020-final-1.jpg?download=1 Accessed 2 November 2021 12.
(7) “Global Password Security Report” https://www.lastpass.com/state-of-the-password/global-password-security-report-2019 Accessed 28 November 2021 13.
(8) “Two-factor authentication statistics: A good password is not enough” https://dataprot.net/statistics/two-factor-authentication-statistics/ Accessed 5 November 2021 14.
(9) “Why Your Employee Training Is A Waste Of Time And Money — And What To Do About It” https://www.forbes.com/sites/groupthink/2015/08/30/why-your-employee-training-is-a-waste-of-time-and-money-and-what-to-do-about-it/?sh=47a0e25128cf Accessed 5 November 2021.
