Blogger Series graphic showing a man working on his computer.Your people just want easy and effective ways to do their jobs. A security culture can turn security into a benefit – not just a necessity. AI can help you build this culture, but how do you get your employees to care?

It’s 9am as you walk into the office. The lights are out. The doors lock behind you. You try to check your email, but the internet has been disconnected. When you reach your desk, you’re astounded to find it’s been replaced with a soundproof box.

This is the ideal world of security. Nothing gets in, nothing gets out. But, of course, nothing would get done.

It sounds ridiculous, but it’s not far from the reality I left behind to join Microsoft in 2012. On my first day here, I brought my laptop from home, just in case. Of course, I wasn’t sure how useful it’d be; surely there would be no chance I’d be allowed to plug into their network and join the domain…

So when Microsoft let me do exactly that, I figured it was a test – the job I’d just left would’ve fired me for gross misconduct. But it’s nothing like that here. Here, we trust people to work their way. But we always assume compromise. Employees can work on any device they want, because our network carries out a security check automatically, every time.Man working on his Surface Book in the office

This is our security culture. It’s a quick process that doesn’t intrude on the way we work. And it’s how we’ve helped employees care about security.

The security to say “yes”

Now, in my role here at Microsoft, I’m on the other side of things. Trying to keep up with the new technology my team needs to work. The biggest lesson I’ve learned from our security culture has been: You’ve got to trust your people.

Employees just want to do their jobs the best way they can with the tools they prefer. That’s why they send work to devices and services at home, even though they know they shouldn’t. They download apps they’re familiar with, even if they’re not approved. And they reuse the same password, even when they know it’s been compromised, because it’s better, easier, and faster.

They want to do the right thing, but not at the cost of their productivity – or satisfaction. You have to accept they’re not going to put security before either of those things. That’s why, in a security culture, well-meaning employees aren’t punished for making honest mistakes. It’s up to technology and managers to make security easy for employees to manage on their own.Microsoft Cyber Defence Operations Center

After all, what’s the alternative? Enforce security measures without explaining them – and punish any employee who doesn’t follow them? That’s how you push your people into finding faster and riskier ways of working.

Instead of saying no, a security culture welcomes new technology – because a security culture is prepared. It relies on people but it’s supported by apps, features, and AI tools that make security part of the culture. Apps, features, and AI tools like these…

Five tools you can use to start building your security culture

1.     Add extra layers of security with multi-factor authentication

If you’re only going to take one thing away from this blog, take this. Switch on multi-factor authentication on any device or service that supports it. If it’s not supported, question whether that device or service is right for you. Multi-factor authentication kills the vast majority of attacks and, when it’s done right, makes for a better user experience.

2.     Put the rules where nobody can miss them with Tool Tips

Turn your security policy from some abstract list of rules, into practical pointers employees can use every day. You can do this with Tool Tips on Office 365 and Azure. This uses AI to prompt people when it looks like they’re about to do something risky like opening an unknown attachment, sharing their personal details, or sending information to someone they shouldn’t be sending it to.

3.     Assess the risk and respond appropriately with risk-based conditional access

It’s not enough to just say yes or no. These days, different devices, tasks, and requests all come with different degrees of security risk. That’s why we built risk-based conditional access into Office 365 and Azure. So you can assess the risk for yourself, implement a rule specific to the case, and use AI to apply it automatically in the future.

4.     Know where you’re starting from by turning on reporting

To totally understand your current security culture, log every breach. Take notes. Have conversations. Once you understand how and why your employees are breaking your rules, you can find ways of making them easier and more productive to stick to. Instead of implementing and enforcing severe data protection policies on your well-meaning employees.

5.     Protect your devices and accounts with a password manager

You’ve got lots of passwords. Or maybe you’ve only got a few that you use on lots of digital accounts. But until password-less authentication is the norm, that’s the way it is. You’re bound by policies and complexity requirements. A password manager is a simple way of ensuring every service has a unique and complex password – all you have to remember is the master, and the app completes the login for you. There’s a password manager like this built into Windows.

So how do you get employees to care about security?

You make it easy. You make it better than not caring – and not through threats.

When employees can confidently use their own devices and apps, you’ve made security an enabler, not an obstacle. When following the rules means employees have the power to work their way, you’ve made security a carrot, not a stick. And when working safely is just another part of your employees’ everyday, you’ve got a security culture.

And it’s easy to build yours with Microsoft 365 so you can empower your people to do their best work securely.

Learn more

4 ways to transform your employees into cyber security champions

Empower your employees to be creative and work together securely

Talking 365: How to avoid security nightmares

Forrester’s Risk-Driven Identity and Access Management Process Framework

Nick LinesAbout the author

Nick is passionate about transforming every person and organisation to be more productive and more secure in his role as Security Product Marketing Lead within the Microsoft modern workplace team. A geek at heart, he spends his spare time experimenting with lasers and 3D printers with his two sons, keeping old computers alive (particularly Commodores), and learning about mechanics to keep an ageing British sports car on the road.