Are You Maliciously Complying with Security Policies?
Is your team blindly following security rules?
Sure, rules are meant to be followed but simply following them without thought may create problems in the long run. Does your team really understand why the rules are in place? Do they know the consequences if they don’t follow the rules?
Think about a company attendance policy
You have a boss who holds you accountable to the attendance policy of working from 9 to 5:30, with a half hour for lunch at noon.
On Monday, you missed your bus. You were only 15 minutes late, but your boss gave you a warning anyway. You tell him you were planning to make up the 15 minutes at the end of the day and apologize for your tardiness. Going forward you decide to take the earlier bus to make sure something like this doesn’t happen again.
However, when your boss scolded you without stopping to listen, that made you angry. You decided you’d arrive on time but when 5:30 arrives, you were going to be the first out the door.
In this example, the policy was clear, but the enforcement became problematic.
Enforcement of this policy, aimed at team cohesion, ended up destroying the thing it was trying to create. That’s something to think about: when you put a policy into practice you must deal with the consequences of enforcing said policy.
Working hours is a simple example, but what about other aspects in your organization? What about security policies?
You might have a problem if:
Your policies frustrate or annoy your team
Nobody understands why they have to follow the policy
The rules seem arbitrary
You might get your employees to comply with rules; they may even follow them to a T. But are you confident in the results?
I want to challenge you to think about your security compliance from the eyes of your users.
You already know why they need to comply with different policies but how do you make sure they understand? Could you even take it a step further and get them to want to participate in your compliance program?
All of this means educating your users on the policies and then energizing them to get on board in a meaningful way. This means they understand the consequences and not just following a rule for the sake of it.
If you create rules and enforce them to a T, those rules could backfire on you. If a policy was just there and didn’t really protect your business, you risk having an employee pointing out the faulty policy. If something terrible happens when that bad policy in place, you have a problem on your hands.
This is called malicious compliance and this action can put your organization at risk. It causes more than just confusion around the security policies.
If you get cyber hygiene testing done though, you can get your team to see what’s really at stake and get them motivated to follow the policies.