Whether you think of your peers as Layer 8 "problems" in your own OSI stack, or as a human firewall that should be able to detect and respond to incoming threats like everything else in well-functioning organizations and your general staff. Committing to your information security goals is ultimately a matter of culture.
And the strongest safety cultures are those where every employee fully understands that they are on the front line. They are extended members and the early warning system of your core team in the Security Operations Center (SOC).
Make it easy for co-workers to voice concerns about something they've seen or experienced. We all know the motto "if you see something, say something" that we often encounter when traveling on public transport. Rather than resorting to the standard practice of developing and publishing a complicated policy that outlines several steps for the employee to take when they encounter suspicious activity, make it simple and natural to report it. Reducing friction pays off.
advertising
Carefully consider how this affected employee can reach your information security team directly by phone and chat. Providing multiple channels to request help increases the likelihood that the employee will use one of them. An employee who finds it too difficult to fill out your support form to open a ticket may be an employee who decides that it's just not worth interrupting their day to follow the correct protocols.
It is also very useful to explain the "why" while dictating the "how". Attack vectors that are obvious to you as a security professional may not be clear or even visible to someone who doesn't live and breathe security every day. Make it real by treating your employees like they all are with tips and insights that can help them manage company resources not just during office hours, but also at home.
For example, explaining and demonstrating why password reuse is so risky is a good place to start. A story in which you lay out the steps required to compromise a single account and how that can directly lead to compromises in ten other accounts might be something your general staff hasn't taken the time to think about. The recommendation of a password manager (and the support of your helpdesk) is a profitable investment in the short term.
Read More: Best Daily News Update From White Hat Ranker
And here's one final thought to keep in mind. Calling your employees a "human firewall" is an analogy that can fail the same way the old perimeter-based security model failed. The old firewall that secured your perimeter was considered an impenetrable defense control, and it clearly isn't. And your employees shouldn't have the burden of being security checkers who are supposed to never make mistakes.
Treat your co-workers as valued members of your extended security team, not as "problems" that your SOC must eliminate on a daily basis.