My car recently went through its annual NCT (national car test).

For reasons unique to the Irish testing system, I had to travel to a different test centre this year. While its physical layout was very similar to the test centre that I usually use, the process to register the vehicle at this test site was completely different.

When I drove into the test centre site, there was a large ‘Customer Parking’ area outside the building. At the end of ‘Customer Parking’ area was a very prominent sign pointing to ‘Reception’.

The sign even had an oversized arrow, in case I was unsure.

However, as I found out after parking in the ‘Customer Parking’ area and queueing at ‘Reception’, I wasn’t supposed to park there or queue here.

I was supposed to drive past the ‘Customer Parking’ area and go around to the back of the building to hand over my car there. Once that step was done, the ‘Reception’ would then be ready to receive me.

As I was not familiar with this particular site, I assumed I must have missed some obvious sign at the entrance to the site. But while waiting for my vehicle to be tested, I watched as over 80% of the people who arrived after me did exactly what I did.

 

What’s my point?

If we want people to do things in a particular way, we should ensure that we clearly communicate what we expect of them.

Wherever possible, we should guide them with appropriate signage so they know how to act in specific circumstances.

And we should also remove any distractions that might cause them to take a wrong turn.

 

What has this got to do with cybersecurity?

Are we sure that our staff members are clear on what is expected of them?

Or does the staff security policy just contain random “must” or “must-not” statements across dozens of pages, intermingled with lots of other information that is of no relevance to a staff member’s obligations?

And have we implemented technical measures to reduce the risk of them taking a wrong turn?

For example, by enforcing the use of Multi-Factor Authentication and strong (i.e. long) passwords, so a staff member has no choice but to follow a specific course of action.

 

So what?

Like many things in life, security can be quite simple.

Let’s make sure we’re not overcomplicating it.