Around the world today, we’re seeing instances of people being either part of the solution or part of the problem. In the context of information security, it seems we mostly witness people being part of the problem. But there’s often little discussion about people being part of the solution. An important area of any given information security program is getting users on board with web security. 

But how? It’s actually easier than you might think. 

The best thing you can do is to view your users as part of your security team. They, in turn, will view themselves in the same way – with everyone working toward the same goals. Whether it’s part of your organization’s formal security and awareness training program or more ad-hoc training focused specifically on web security, a good thing you can do is share ways that people have created security risks in the past, including:

  • Choosing to use weak web passwords and commingling credentials across business and personal accounts
  • Being careless when accessing sensitive web applications across various computers and mobile devices, especially as it relates to potentially vulnerable systems at home and computers out in public such as those in hotel business offices and libraries
  • Ignoring notifications to update web browser software and related add-ins
  • Blindly clicking links and browsing questionable websites
  • Connecting to unsecured Wi-Fi and/or not using VPN software to further protect web application sessions when required
  • Overlooking the value of using a password manager to keep web credentials protected
  • Selling their own personal computers/devices without resetting them that could expose sensitive web browser information such as links, passwords, and cached files
  • Not speaking up and reporting potential security concerns when they see them such as strange application behaviors and error messages

It’s good to discuss the challenges but it’s just as important to talk about solutions. Areas you could educate your users on might include:

  • How to avoid common password vulnerabilities and choose complex passphrases to use, not just on critical work systems but in everyday websites, mobile apps, and the like to keep everything protected across the board
  • Web vulnerabilities uncovered in your most recent security assessments and the consequences to the business had they been exploited
  • Real-world breaches that others have suffered and how they might be handled in your business. If your business has suffered an incident or breach, share with them what could have been done better and what will be done differently moving forward.
  • What to look for in terms of web privacy policies and end-user license agreements when signing up for new accounts, installing software and so on that may create unnecessary exposures
  • A day in the life of a web security professional: typical concerns, training courses you might take, tools you use, reports shared with management, and so on

Most web security-related challenges come with hair on top. The people side of security is arguably the hardest to master. Many opportunities exist in terms of people being part of the solution and it’s often in the form of training them on a periodic and consistent basis.

You may be spending tens or perhaps hundreds of thousands of dollars on technical web security controls and services each year. Why wouldn’t you spend the amount necessary to improve your odds knowing what’s at stake with the web user variable? Starting today, take these ideas and figure out creative ways to get users on your side. Day after day, your users are either working for you or against you. The time and effort you invest in them will demonstrate which side of the web security equation you want them on.

Kevin Beaver

Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 32 years in IT and 26 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security.