What makes your employees ignore an acceptable use policy?  How do you increase adoption of policy from your employees?

When you invest time into building a strategy, gaining approval from the executive team, and then implementing said strategy, it’s frustrating see people ignore the plan that you put into place.  

There’s a point to what you’re doing, and if people just followed your plan the company would be in a better place.  

Sound familiar?

The Acceptable Use Policy

As an example, let’s consider the Acceptable Use Policy (AUP) – a staple in any cyber security program.  

The AUP, sometimes referred to as a Fair Use Policy, establishes the governing rules for acceptable and unacceptable use of electronic devices and the company network for all employees and contractors.

Every AUP includes a section on Mobile Storage Devices.  It might look like the following.

Mobile Storage Devices

Mobile devices such as memory sticks, CDs, DVDs, and removable hard drives are prohibited unless approved by the IT Security Risk team with an acceptable business use case.

That sections is sandwiched into 3 or 4 pages that make up your AUP.  Employees give it a scan, sign, and they’re good to go. Right? Starting to see why there’s an issue in employee adoption of security protocol?

This can apply to policy on other topics like preventing Business Email Compromise and CEO Fraud and the following the right steps to Identify Phishing Emails.

They Probably Don’t Know the Rules

When you’re watching employees ignore a policy in the AUP like prohibiting USB drives the first question that you have to ask is – do they know about the policy?  

Sure, it’s in the AUP, and you probably bring it up in leadership meetings and emails, but do they know? Here’s a few ways to be true to yourself.

  • Was the last time they saw the AUP when they were hired?
  • You’ve discussed with leadership/management, but does that mean the information was communicated to the employees?

Removable Media is Changing, and Employees Can Rightfully Claim Ignorance

Removable media includes any device that can store data and be moved to another location.  Employees often think removable media refers to USB flash drives and memory sticks, and they are unaware that it includes a range of devices.  

Storage device examples include CDs, DVDs, floppy disks, external hard drives, and even smart phones, digital cameras, printers, etc.  

Here’s a Few Ways to Determine What Devices Employees Should be Aware Of

  • What removable media devices might employees use in your business?  There’s probably some easy ones like flash drives and external hard drives, but what about smartphones?  Do the smartphones have access to the business cloud storage or email? Are dongles required for a business use case, and send a mixed message to employees?  Once you list all of the devices it’s easy to see that employee might not know what your policy covers.
  • How have you communicated this information to employees in the past?  Let’s face it, if it’s just on the AUP they probably signed it after a click glance.  That might be their stupidity, but it’s your problem.

Culture of Cyber Security Awareness

If employees know the rules, and they know what’s covered in the rules, you have to consider whether there’s a cultural issue.  

Rather than explaining, I’ll give you an example of an issue with a culture of cyber awareness.

ACME Technologies has established an acceptable use policy for all employees that prohibits the use of removable media.  In addition, they’ve communicated this policy to staff by distributing it and requiring a signature.

One day, the sales team is at a conference running their company booth with the sales manager.  

The sales manager has a presentation in a 5 minutes, but his computers about to die so he borrows an employees.  

Since they aren’t connected to the internet, and can’t be bothered to connect to their own hotspot, the manager can’t safely copy the presentation to the employees computer.  

So, what does the manager do?  

Naturally, he grabs a give-away flash drive from the company booth next to them.  Thanks them profusely, and then transfers the files.

This creates a risk in that instant, and violates company policy.  

However, the real risk is that this erodes away from the culture of cyber security awareness that you’ve worked so hard to build.

Once an employee sees a manage ignore the rules, they think the rules aren’t important, or they don’t apply to them either.

Again, this is just a small break in policy, but little incidents like this build on each other to a point in which you don’t have a culture of cybersecurity awareness, rather you have a culture of circumventing cyber security protocol.

Here’s a few ways to build a culture of cybersecurity awareness within any organization.

  • Does your leadership believe in the importance of cybersecurity?  That’s the key. Start there because culture starts at the top. However, this isn’t easy.  You have to tie cybersecurity into the business goals, and how it impacts every person on the leadership team.  Sound like a stretch? Cybersecurity is important to sales leadership because a breach would likely mean a huge drop in sales, and renewals.  Cybersecurity is important to the CFO because a breach would mean a lower top line number as the company loses sales, and higher costs as the company manages the breach…and it may be years before the bottom line looks the same, if ever.
  • I wrote about developing a leadership team that embraces cybersecurity in depth if you want to learn more on the topic.

Risk vs Convenience

Policy is distributed, Employees are aware, and Culture is Strong.  

Employees still pick up a flash drive from the parking lot and stick into their work machine.  What’s up with that? Risk vs Convenience.

What’s the risk of doing this action versus the time it saves?

The first time I was in an organization that prohibited the use of removable storage, employees just didn’t care.  It was risk vs convenience. The risk that anyone finds out, talks to me about it, reprimands me, is extremely low if not zero from the employee point of view.  

The convenience can be great – transferring something on a memory stick versus and approved transfer service might be the difference of a couple minutes, or a couple hours if it’s a large file that takes a while to upload, and download.  

This boils down to culture.  

Once the CXOs buy into the important of cybersecurity, management must buy-in.  

Once management is onboard, employees must adopt the culture. But how?

The same way you changed the executive teams mind – employees must understand why cybersecurity is important to their jobs.

For a salesperson it might be lost sales, and for a product manager it might be keeping information safe to keep their product/company competitive.

Here’s a few ways to help employees understand risk vs convenience.

  • Start with management.  Employee managers should understand the drivers of their employees. What makes them tick.  Is it the success of the company, success of their customers, or is it just a paycheck? Identify those things, and then help the manager understand how employees play an important role in cybersecurity.  The value is two fold – increase cybersecurity culture with management, and increase cybersecurity culture with employees.
  • Raise awareness of the risks with weekly emails, or by sharing information in monthly meetings. Chances are a competitor or well known company in your industry has had a cyber related issue.  Use that to explain how it impacted their business negatively, and your business positively, and so your company is focusing on maintaining that competitive edge.

Improving Employee Adoption of Your Removable Media Policy

Improving employee adoption of your removable media policy starts with identifying the root cause of poor adoption, and most of these can apply for just about any policy.

 The reasons employees do not adopt your Acceptable Use Policy include:

  • Employees are not aware of the policy
  • Employees do not understand the policy
  • Leadership hasn’t adopted the policy
  • Employees haven’t adopted the policy (Risk vs Convenience)

While developing a policy can be a challenge, successful execution and adoption of a policy is an art.  

By identifying the root cause of poor adoption, and building a culture of awareness your employees will increase adoption of policy like acceptable use for removable storage.

About Us

Wuvavi provides the world’s only cyber security awareness platform developed for small and medium sized businesses.  Wuvavi allows SMBs to deploy enterprise grade awareness training and simulated phishing campaigns to their employees, track progress, and receive completion certifications. Learn more and sign up for a free trial.