Ali Allage is CEO at BlueSteel Cybersecurity, a Security Compliance Consulting Firm
getty
Last year, Huntress Labs reported that several U.S. businesses were the victims of a massive cyberattack. The attack originated from a global IT company, whose U.S. operations are run from Florida, then spread through the rest of the corporate networks. Before that, the world’s biggest meat-processing company paid a ransom of $11 million for a cyberattack that affected their plant operations in the U.S., Canada and Australia.
These types of attacks are increasing significantly, and some cite this escalation as another negative consequence of Covid-19. Shockingly, the FBI reported a 400% spike in cyberattacks in the first few months of the pandemic.
Fortunately, many cybersecurity policies have been formulated over the last two years. However, a number of experts still worry that these policies aren’t specifically targeting some of the main underlying vulnerabilities: those surrounding employee behavior.
Are All Cybersecurity Violations Malicious?
A National Science Foundation research study of more than 330 remote employees in diverse niches found that most cybersecurity compliance failures result from intentional but harmless attempts by employees to perform their work-related tasks.
The researchers asked participants to self-report their day-to-day stress levels and their challenges in following cybersecurity policies. They also interviewed 36 professionals who looked over how the hybrid or work-from-home culture affected cybersecurity.
Surprisingly, employee adherence to security compliance policies was unstable. In the 10-day study, 67% of employees were found to be unsuccessful in staying fully compliant with the cybersecurity policies at least once. This means that, on average, 1 out of 20 job tasks were done in a way that didn’t comply with cybersecurity policies. When you consider how many tasks are completed each day across an organization, the scale of this vulnerability is mind-boggling.
When the participating employees were asked to list the reasons behind their failure, most reported “workplace stress” as the most significant factor. The top three responses were:
• To perform my job tasks more effectively.
• To accomplish something I needed.
• To assist others in getting their tasks done.
What’s more surprising is that these responses covered almost 85% of the cases in which employees were intentionally breaking the rules. However, very few of these actions were intended to cause any harm to their employers—out of all the breaches, only 3% were done with malicious intent. In other words, this means harmless breaches are 28 times more common than malicious ones.
Stress: Is It the Main Trigger?
Employees reported that they were more likely to knowingly break the security policies when they were too burned out from their job requirements. Such employees didn’t want the cybersecurity policies to get in the way of their work, either by decreasing their productivity or by requiring extra effort and time. This stress was found to originate from various reasons, including:
• Family demands that affect their work-related tasks.
• Fears about job security.
• The cybersecurity policy demands.
While the research didn’t provide conclusive results about other security issues humans make out of ignorance, the findings did clearly show that the underlying reasons for most cybersecurity breaches are non-malicious and unintentional, contrary to what the media often focuses on.
How To Create A Strong Cybersecurity Culture
For employers, creating a strong cybersecurity culture in their workplaces has been a major concern for years, mainly because their focus was more on punishing employees who breach policies rather than helping them stay compliant with the rules. Based on the research mentioned above, we’ve developed three recommended approaches that managers can deploy to build their culture and tackle this situation.
1. Employ security awareness and training.
Many policymakers around the world assume that employees breach security rules to get back at them out of malice. As a result, their cybersecurity policies are built around this assumption rather than around addressing the real factors.
However, the research clearly tells us that there is a very thin line between ignorance and malice. Many employees are ignorant and need proper guidance and awareness to stay compliant. More importantly, employers must realize the root cause of security breaches. Most employees simply want to get their tasks done in the easiest way and maintain their productivity.
In such cases, employees must be educated about non-malicious violations and their consequences to the individual as well as to the organization as a whole. The main purpose of these training sessions must be to guide employees on what they should do when their stress prevents them from adhering to cybersecurity policies.
2. Engage employees in policy-making.
Besides guiding employees, organizations should involve employees directly while developing and testing security policies. In addition, they should equip their teams with new, advanced tools so they can build, evaluate and follow these policies more effectively.
Most of the time, IT professionals formulate software protocols without predicting the impacts of these rules on employees’ jobs. The Covid-19 pandemic made this situation worse by significantly elevating people’s stress levels. With this in mind, it would be wise for policymakers to consider employees and their stress levels when making, testing and implementing cybersecurity policies.
3. Ease the job design and workloads.
In this technology-driven era, it’s not hard for employees to maintain a balance between security and productivity. But since the pandemic, the dynamics have taken a 180-degree turn. Stress levels have skyrocketed, making it harder to maintain productivity and stay compliant with cybersecurity policies.
Since workload is one of the primary reasons for cybersecurity breaches, it’s clear that job design and cybersecurity are directly related. To address this challenge, managers must work to modify their team’s job design. Additionally, because following cybersecurity policies while performing their tasks is often challenging for employees, team members must be rewarded for maintaining both simultaneously.
Key Takeaways
The current technological landscape has unintentionally made every employee a bigger potential threat to an organization’s security. To ensure their company’s safety, managers and technical professionals must sit down together and understand both the human and the technology factors that cause breaches.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
