When companies drive a wedge between their workforce and their security culture, not only do they reduce best practices, but they also increase stress and jeopardise secure behaviours. We need to stop blaming employees for cybersecurity breaches and look at the real reasons that data is compromised.
Furthermore, as long as there are humans at work, there will be human error at work. It is natural, and never 100% avoidable! Instead of playing the blame game, we need to focus on minimising cases of human error and maximising efforts against cyber attackers.
The majority of employees in any given organisation are hard workers who want nothing to do with a cybersecurity breach and its overarching ramifications. However, even as far back as 2020, researchers from Stanford University found that 88% of all data breaches are still caused by an employee mistake.
Often, these mistakes are not malicious and come as a result of simple human error, employee negligence, or a lack of training/knowledge on how to correctly behave when handling sensitive information. Not a single one of these reasons justifies any organisation blaming the employee for the breach. In truth, they will have been left short in their development, not armed with the right knowledge, and not drilled to behave securely in every action.
Why making employees the focus doesn’t work!
If your security culture’s foundation assumes that employees will be the reason for any potential breach, you create unnecessary security-related stress amongst your workforce. This can lead to mistakes made under pressure and a self-fulfilling prophecy, where your employees do not feel supported in their actions and are careless as a result.
Much of the problem is not a new phenomenon. Also from 2020, a report from cybersecurity firm Avast found that 40% of employees at small and medium-sized organisations who mistakenly click on a malicious link know they will be held personally liable for the breach. As a result, they are less likely to report the incident which can lead to even bigger ramifications.
Conversely, when we approach employees with positive intent and are supportive with easily accessible security advice and resources, we make secure behaviours second nature rather than a hurdle that employees need to always look out for.
How to support secure behaviours from the very first day
Taking everything we’ve discussed so far into account, we need to encourage secure behaviours in employees from the very first day. Every new employee will go through an onboarding process. It is highly beneficial to bake security protocols and training into these onboarding processes. If you use your first impression to set a secure tone, telling new employees that the security team is a support team rather than an enforcement team, you start off on the right foot. Provide reporting materials to your employees and make it clear that assistance is available, and questions are never silly enough to not ask.
Is your security campaign consistent and regular?
Too often organisations see cybersecurity training and development as a one-and-done project. However, it is essential that we provide regular and comprehensive cybersecurity and awareness training. You want to create a workforce that adds secure behaviours to their list of subconscious behaviours rather than a workforce that sees secure behaviours as a hindrance to their actual work.
You also need to make sure that your training, whilst regular, is also engaging and effective. How can you do this? Keep the training fresh by changing the format and making it as interactive as possible. Organisations that create training materials and resources can gamify teaching for you and also provide variety in the way it is presented. Whether it is group activities, gamification, physical murals, eLearning courses or simulated training, you can always innovate in your training deployment to maximise information retention.
Who’s getting blamed? 18–24-year-olds
Way back in 2018, the section of the employee workforce prone to getting all the blame were those between the ages of 18 to 24. According to Centrify’s report from 2018, 37% of decision makes think younger workers are too relaxed about security measures. This is because of the increased use of social media at work by this demographic, which opens up many security issues. 67% of managers are also concerned that this particular cohort are more prone to opening phishing emails and malware-laced messages.
However, the truth is disconnected from what managers and decision makers think. These employees have lived and grown up in a digital world. They are, if anything, more wary and secure with their online behaviours as it is all they have ever known. In fact, Centrify found that only 10% of next-gen employees will click on suspicious links, which is in line with every other age group in an employee base.
The need to blame someone or an entire demographic ignores the real issues: a lack of truly targeted, engaging, and effective cybersecurity training and development. Centrify’s report further details that “one in five companies fail to provide next-gen workers with clear guidelines on basic security issues”.
In conclusion: playing the blame game leads to no changes!
Cyberattacks and cyber breaches will continue to occur and even increase in veracity – so you can bet that the blame game will still be played in many organisations. In reality, playing the blame game does nothing to secure your company against the next attack or human error.
Employers need to start focusing on cybersecurity and awareness training and development through consistent deployment and comprehensive onboarding protocols. The focus also needs to be across every age demographic, since the axis of attention on next-gen employees has proven to be outdated, false, and misplaced.
As an aside, it would be nice to see a fresh examination of the employees in the 18 to 24 age-range to see if these false perceptions still exist in today’s work environment. This would be especially fascinating, as the workforce has shifted dramatically since these studies were originally conducted. Has remote work affected the negative estimations about security practices of the young work-force?
If there’s anyone to blame in the case of a cyber breach, it is the criminals who are maliciously trying to trick your employees or the weak security protocols in place at your organisation. If you can work to have one enemy – the cybercriminals – you can create one united secure front rather than a fractured workforce who are second-guessing all their actions.
Finally, preventing data breaches and staying secure is the job of everyone in an organisation. The responsibility for a data breach should never fall at the feet of one person or one department. Above all, instead of wasting time on attributing blame, the energy and money would be better spent on protocols to reduce the chances of another breach.
About the Author: Zoe Edmeades is the co-owner and Managing Director of The Security Company (International) Limited. Zoe works with global organisations to support their security culture journey, creating business plans to ensure both TSC and their clients continue to grow, be competitive and profitable. Operating in the world of security since 2007, Zoe saw cybersecurity was growing into behemoth and wanted to be at the forefront of it. Zoe started at TSC as a Project Manager, moving to Head of Projects in 2009 following completion of the Accelerated Talent Development Programme at Cranfield University, before finally becoming Managing Director in 2012.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.