When nudge security is a waste of time

Nudge security doesn’t work …

when you miss these 3 things

Somewhere in downtown New York in the United States, young window-cleaning recruits are going through safety training, analogous to the rigorous induction many modern workforce members receive when joining a company with a comprehensive security posture.

“Wear a safety harness at all times,” Their supervisor tells them, not unlike a cybersecurity officer reinforcing the use of strong password practices, as she demonstrates how to put it on before slipping into a rather lengthy monologue about the importance of, you know, not falling to their deaths or, in the digital realm, succumbing to a security vulnerability.

So, the recruits know the theory, they’ve put it into practice, and they understand the risks. In other words, they know what to do, how to do it, and why they should do it. Just as the recruits understand their role in physical safety, every device user in an organization should grasp their responsibility to prevent a breach.

But the supervisor knows people make mistakes. She’s seen it before. And she doesn’t want to see it again. Which is why she makes every recruit go through a ‘harness checkpoint’ right before they step onto the scaffolding. In the same vein, IT departments often deploy SaaS security tasks to keep a close watch on potential security risks.

It’s nothing special. Just a red stop sign and the words “We don’t have a safety net” in large bold letters. It’s a minor intervention, but in her experience, that security control is enough to get her employees to pause, think twice, and give their harness another tug. This practice mirrors what a well-designed cloud security alert could do, potentially preventing a threat actor from exploiting an unsuspecting user.

Pretty straightforward, right?

Generally, human behavior is pretty open to nudges. And here are some everyday examples of security nudge theory in action to prove it! So it’s about time the industry embraced nudge security, in order to keep our digitally interconnected world safe and secure.

But nudges aren’t a magic wand. If you want nudges to pull their weight as part of your cybersecurity strategy, people need to know what to do, how to do it, and understand the value of their actions.

If the window-cleaners don’t know how to conduct the proper safety checks, then there’s going to be some friction whenever a window-cleaner encounters the sign. At best, they look for help, and, at worst, they shrug it off, ignore the threat and step on the scaffolding anyway.

The same goes for nudge security. Without the knowledge and understanding of how to respond to a security prompt, even the best-intentioned nudge could fail, leaving a digital door open for threats.

The ‘what’, ‘how’, and ‘why’ of effective nudge security

The fewer speed bumps there are along the road toward performing positive behaviors, the quicker your people can adopt long-term security behaviors they need to make your organization—and themselves—safer. 

Take SaaS sprawl as an example. SaaS sprawl is a term used to describe the accumulation of an extensive array of SaaS tools within an organization, typically without sufficient vetting or management. This can result in an overwhelming and unmanageable stack of tools that negatively impacts productivity and drains resources. The process of SaaS sprawl is often gradual and can occur without notice, causing insidious harm to organizations over time.

• You can’t nudge someone to do something if they don’t know what to do.

• You can’t nudge someone to do something if they don’t know how to do it.

• You can’t nudge someone to do something if they don’t understand why they need to do it.

Well, okay, those three statements aren’t entirely true. You can always nudge people to do things. Seriously, with a good nudge security provider, you can schedule or send out your nudges with a few clicks. You’re just going to get better results if you also address the ‘what’, ‘how’, and ‘why’.

Alright, so, the secret to an effective nudge security strategy? Removing obstacles. That means addressing knowledge and technical gaps and vulnerabilities with behavioral security awareness training, providing your employees with support when they need it, and taking steps towards a more people-centric security culture.

When the ‘what’, ‘how’, and ‘why’ is clear, it becomes easier—and more likely—for people to follow-through with the right behavior when they get a nudge.

Of course, in a perfect world, modern organizations wouldn’t need nudge security at all. But people have their faults, and so does traditional security awareness training. 

So, nudge security is here to compensate. And to help cybersecurity teams finally address the ‘human’ in ‘human security’—you know, the forgetfulness, the procrastination etc.  A nudge could be:

Smart tech is learning when to ask us stuff that might help us out. Say you use your virtual assistant to order your weekly groceries, your assistant then knows some useful things:

• An app notification encouraging employees working remotely to stay secure by activating a VPN before connecting to a public network.

• A prompt to set up two-factor authentication (2FA) before logging on to the system to prevent data breaches..

• A pop-up at the end of the work day to get people to install the latest software update.

So, the takeaway is this: When people are confident in their modern cybersecurity knowledge, have the skills they need to put it into practice, and recognize the value of good security behaviors, then nudge security can help you steer behavior change and complement your human risk reduction efforts.