Ali Allage is CEO at BlueSteel Cyber Securitya security compliance consultancy
Last year, Huntress Labs reported that several American companies were the victims of a massive cyber attack. The attack came from a global IT company, whose US operations are run from Florida and then spread through the rest of its corporate networks. For this, the world’s largest meat processing company paid a ransom of $11 million for a cyberattack that impacted their manufacturing operations in the US, Canada and Australia.
These types of attacks are on the rise and some are citing this escalation as another negative consequence of Covid-19. Shockingly, the FBI reported a 400% spike in cyber attacks in the early months of the pandemic.
Fortunately, a lot of cybersecurity policies have been drawn up in the past two years. However, some experts are still concerned that these policies do not specifically target some of the key underlying vulnerabilities: those surrounding employee behavior.
Are all cybersecurity breaches harmful?
A National Science Foundation Research A survey of more than 330 remote workers in a variety of niches found that most cybersecurity compliance deficiencies result from employees’ deliberate but harmless attempts to perform their work-related duties.
The researchers asked participants to self-report their daily stress levels and their challenges in following cybersecurity policies. They also interviewed 36 professionals who explored how the hybrid or work-from-home culture impacted cybersecurity.
Surprisingly, employee compliance with the security policy was unstable. In the 10-day survey, 67% of employees failed to fully comply with cybersecurity policies at least once. This means that, on average, 1 in 20 tasks was performed in a manner inconsistent with cybersecurity policies. When you consider how many tasks are completed each day in an organization, the magnitude of this vulnerability is mind-boggling.
When the participating employees were asked to list the reasons behind their failures, most indicated that “workplace stress” was the most important factor. The top three responses were:
• To perform my work tasks more effectively.
• To achieve something I needed.
• Help others perform their tasks.
What’s even more surprising is that these responses covered nearly 85% of cases where employees intentionally break the rules. But very few of these actions were intended to harm their employers – only 3% of all breaches were committed with malicious intent. In other words, this means that innocent breaches are 28 times more common than malicious ones.
Stress: is it the main trigger?
Employees reported that they were more likely to knowingly violate security policies if they were too burned out because of their job requirements. Such employees did not want cybersecurity policies to get in the way of their work, either by reducing their productivity or by taking extra effort and time. This stress was found to have several causes, including:
• Family requirements that affect their work-related duties.
• Fear of job security.
• The requirements of the cybersecurity policy.
While the research was inconclusive about other security vulnerabilities people make out of ignorance, the findings clearly showed that the underlying reasons for most cybersecurity breaches are non-malicious and unintentional, unlike what the media often focuses on.
How do you create a strong cybersecurity culture?
For employers, creating a strong cybersecurity culture in their workplace has been a major concern for years, especially as their focus has been more on punishing employees who violate policies rather than helping them comply with the rules. Based on the above research, we have developed three recommended approaches that managers can use to build their culture and deal with this situation.
1. Use security awareness and training.
Many policy makers around the world assume that employees are breaking security rules to get back at them out of malice. As a result, their cybersecurity policies are based on this assumption rather than addressing the real factors.
However, the research clearly teaches us that there is a very fine line between ignorance and malice. Many employees are ignorant and need proper guidance and awareness to continue to comply with the rules. More importantly, employers need to understand the root cause of security breaches. Most employees just want to get their tasks done in the easiest way and maintain their productivity.
In such cases, employees must be educated about non-malicious violations and their consequences for both the individual and the organization as a whole. The main purpose of these training sessions should be to guide employees on what to do if their stress is preventing them from complying with cybersecurity policies.
2. Involve employees in policy making.
In addition to guiding employees, organizations must directly involve employees in the development and testing of security policies. In addition, they need to equip their teams with new, advanced tools so that they can more effectively create, evaluate and track these policies.
Typically, IT professionals formulate software protocols without predicting the impact of these rules on employees’ work. The Covid-19 pandemic has exacerbated this situation by significantly increasing people’s stress levels. With this in mind, it would be wise for policy makers to consider employees and their stress levels when creating, testing, and implementing cybersecurity policies.
3. Simplify task design and workload.
In this technology-driven era, it is not difficult for employees to maintain a balance between safety and productivity. But since the pandemic, the dynamics have turned 180 degrees. Stress levels have skyrocketed, making it more difficult to maintain productivity and comply with cybersecurity policies.
Since workload is one of the main reasons for cybersecurity breaches, it is clear that job design and cybersecurity are directly related. To meet this challenge, managers must adapt their team’s task design. Additionally, because following cybersecurity policies while performing their duties is often challenging for employees, team members should be rewarded for maintaining both simultaneously.
Key learning points
Today’s technological landscape has inadvertently made every employee a greater potential threat to an organization’s security. To ensure the security of their business, managers and technical professionals need to sit down together and understand both the human and technological factors that cause breaches.