Discussing the 2015 Insider Risk Report with Martin Dusby, CEO of Hybridge, Inc.
When we were putting together our 2015 Insider Risk Report, we sat down with several Intermedia partners to get their take on the surprising survey results we found and to hear what they would recommend to solve the issue of risky employee behavior. Here’s the second interview of this series with Martin Dunsby, CEO of Hybridge, Inc.
Question #1: What’s your take on the problem of “Shadow IT”?
“Shadow IT is an indictment of traditional IT being too slow to provide users with the services they need. Traditional IT forces users to go to Dropbox and apps like that. If IT doesn’t want users to use outside apps, they should provide better alternative solutions. IT should be leading with new technology. They should be coming to users and saying, ‘We found the great next-gen thing, and we’re going to help you roll it out.’ If IT was much more eager to help folks take advantage of the treasure trove in the cloud, they wouldn’t find employees trying to actively bypass them.”
Question #2: Why do you think users engage in risky password practices?
“Traditionally, IT guys say that passwords have to have 8 characters, with uppercase, lowercase and special characters, and they have to change every 90 days. No wonder people are writing them down and reusing them! Nobody can remember any of them. Back in the days when systems were standalone and you could brute-force them open, these policies made more sense. Today, it’s pointless to change your passwords every 90 days. – if someone gets your password, all your data will be gone in minutes. All these policies do is guarantee that users can’t remember their passwords. This risk is a self-inflicted wound on the part of misguided IT people. These rules are not only obsolete, they’re obstructive and dangerous. They guarantee that users will write stuff down—but they also make users hate IT for making their lives pointlessly hard, which makes users that much less likely to follow IT’s rules.”
Question #3: What do you think is the biggest risk with passwords?
“The biggest vulnerability businesses face, by far, is using the same password in multiple systems. As soon as hackers know one password—which is inevitable—they’ll try those passwords on every other system. So if you use your Evernote password on Wells Fargo, then you’ve got problems. We should be teaching people how to create an intelligent, extensible passwords. They should be long, unique, but easy to remember.”
Question #4: Our report found that Millennials engaged in more risky behavior than Gen Xers and Baby Boomers. Why do you think that is?
“In most cases, Millennials know more about the apps they’re installing than IT does. Why would they ask whether or not it’s OK to install Spotify when the IT guys are still stuck in the 80s? IT shouldn’t be rapping users on the knuckles. They should be rolling stuff out rather than waiting for Millennials to install it themselves. These findings aren’t about insecure practices so much as about the confidence levels Millennials show in IT, and how much they view IT as a partner in their business versus a blockage to be avoided and worked around. I bet most Millennials view IT as a bunch of old fogeys to be worked around.”
Question #5: Our report also found that tenured employees engaged in more risky behavior than new hires. What do you think causes this behavior change as employees gain time with a company?
“The main reason new people might follow the rules is a fear of retribution. But the more they get to know the IT team, the more they realize they’re not ogres, the more freedom these employees feel to seek new ways to solve business problems. The people who have been there longer know the business better, and they’re in the best position to pick cloud apps that improve the business, improve service, make more money and make things more efficient.”
Questions #6: What are some things you would recommend a company do to combat risky employee behavior and increase overall security?
“We look to see WHY users are creating weaknesses. Everyone and their brother knows they shouldn’t write down passwords or share accounts. But they’re doing it because they see no other way they can do their job—that, or they are rebelling against ‘jump through the hoops’ policies. It’s not about telling people the rules. What I’m talking about is education and understanding combined with reasonable rules and systems, so that individuals acting in their best interest are also acting in the company interest.”
To learn more about the security risks posed by employee behavior and how to protect your company, we encourage you to read our 2015 Insider Risk Report and follow the conversation online at #RiskiestUsers. And read the first in our series of partner interviews where we chat with Felix Yanko, President of ServNet and get his take on risky employee behavior.