To Escalate or Not to Escalate? More Food for Thought.
Regardless of your stance on employee security awareness training, establishing an escalation path for end users who are “repeat offenders” is not something to enter into lightly. We certainly recommend doing your research and listening to what experienced infosec professionals like Levine, Sprinsky, Muscatel, and others have to say on the subject. We also suggest the following:
- Abandon an “IT vs. end users” mentality and consider whether your organization’s employees have truly been prepared to make the right decisions. Too often, users are filed under “S” for Stupid and are not given the opportunity to learn new behaviors. Mistakes are made in a hands-on format; security awareness training should be delivered in the same manner.
- Acknowledge the clear distinction between malicious intent and human error. A user who makes an honest mistake is different from a user who is too lazy to care, and both of those are very different from malicious insiders who intentionally harm your organization.
- Talk to your HR department and management teams to learn their thoughts about end-user penalties and the potential consequences of an escalation path. There could be labor laws or other legal concerns that prohibit punitive actions. It’s likely you would need Board approval before implementing a plan of this nature, so you’ll need to do your homework.
- Be prepared to draw a definitive line in the sand. If, in your mind, you are already letting certain people off the hook — like C-level staff, key business roles, or even yourself and your team — you should scrap the idea of proposing an escalation plan. If you are going to do it, it needs to be done consistently, regardless of who makes the mistakes.