Directive Blogs
Behind Employee Cybersecurity Efforts or Lack Thereof
Cyberattacks can cost businesses a lot of money. They’re also more prevalent today than ever before. It seems you can’t go a couple of news cycles without hearing about some organization that has been hacked or scammed and it’s resulted in the sensitive data the organization holds being sold online, vast operational downtime, or worse. For this reason, many organizations have deliberately built up their cybersecurity infrastructure, enhanced their policies, and invested in training to ensure that they aren’t the next victim. Unfortunately, this attention doesn’t always work.
The Federal Bureau of Investigation has found that cyberattacks increased about 400 percent from 2019 to 2020. Doing what you can to keep your organization’s computing resources secure is extremely important. The cybersecurity outlays made by businesses and other organizations have been immense, and that has led to a sobering reality. Most of any organization’s security problems, especially relating to malware deployment, is due to their employees’ lack of conscientious decision-making when faced with problematic situations.
It doesn’t matter how much more secure or how much smarter you make your organization’s information system security, it can all be for naught if one employee doesn’t do what they should. This is extremely frustrating for IT people, since it is one of their core responsibilities to keep these systems secure. Let’s take a look at how employees fail to keep their credentials secure and what you can do to remedy this worrisome trend.
Employees as Attack Vectors
Increasingly, workplace strategies have been altered significantly. In fact, millions of workers are currently working remotely now, effectively distributing a business’ operational network. For the IT professional who is in tune with the current threat landscape, workers that don’t do everything they can to protect organizational data and infrastructure are typically viewed as ignorant; or worse yet, as a saboteur. Unfortunately for everyone, the driving factor is not negligence or a willingness to do their organization harm, it is out of workplace stress, a factor that is difficult to quantify, and harder yet to eliminate.
A study conducted by the Harvard Business Review found some interesting results about the role stress plays in maintaining their assumed role in protecting their organization’s cybersecurity. The study found that two-of-every-three workers failed to fully adhere to organizational cybersecurity policies at least once in the 10 workdays where the study was conducted. During the study, it was found that employees simply ignore the cybersecurity policies around five percent of the time. This may not seem like a lot, but if you consider that it only takes one non-compliant action to result in a major data breach, having dozens of such instances happen each day is putting organizations in jeopardy.
You may be asking yourself, “If they follow procedure 19 times out of 20, why don’t they follow it that other time?” Well this is where this seemingly clear issue gets cloudy. The study got the answer to this question. The top three were:
- “To better accomplish tasks for my job.”
- “To get something I needed.”
- “To help others get their work done.”
In fact, of all the respondents, 85 percent that were non-compliant to their organizational cybersecurity policies responded with one of these three answers. These employees knowingly broke the rules and in doing so put their organization in jeopardy, but not because they were lazy or they just had it, it was because that was the only way they could efficiently get the work done. Situations where a person is damned if they do and damned if they don’t, they tend to pick the priority.
To most workers, they weren't hired as cybersecurity professionals; they are hired to do a job and if cybersecurity policy gets in the way, they will choose productivity over security every time. If you consider that only three percent of policy breaches were acts of true defiance or sabotage, the 97 percent of the rest are likely perpetuated by dutiful employees. It’s hard to justify stern reprimand for a person who thinks they have the business’ best interests in mind.
Redefining the Importance of Cybersecurity
For the average employee, following procedure is typically going to be a distant second to maintaining productivity. After all, there are very few instances over time where someone was labeled as “great at their job” because they didn’t accidentally start a cyberattack. Moreover, most organizations’ IT support team can’t really give people the benefit of the doubt; most employees that don’t follow security procedures are looked on as negligent or deliberately working against their best efforts. The truth is most training platforms and policies (as they are known to the employee) don’t take into account that there are gray areas that don’t line up with the expectations put on employees by their managers.
To this end, it is more important than ever for employees to be involved in the creation and development of workable cybersecurity policies that take into account that business moves fast and sometimes a person that is focused on doing the best job they can, isn’t going to be focused on maintaining network security. Managers also need to ensure the members of their team know what they need to do and what those actions accomplish to reinforce the importance of their cybersecurity efforts.
Most businesses celebrate employees that excel at their jobs. Today, their job is actively changing and they have to know why straying from procedure is a major problem. The problem is that one wrong move and the company is dealing with malware and reputation troubles, and loss of revenue. While it might be ridiculous to celebrate adherence to corporate cybersecurity policies, people have had cake for less.
If your business needs help balancing productivity with their cybersecurity policies, give the IT security professionals at Directive a call today at 607.433.2200.