– Originally written by Miles Tappin, VP of EMEA at ThreatConnect –
As the COVID-19 pandemic gradually begins to ease, another global crisis rages unabated: cybercrime.
In the US, the FBI’s cybersecurity in-tray is overflowing, with a 69% increase in complaints between 2019 and 2020. In the UK, last year was the busiest on record in terms of cyber-attacks on businesses, while globally, reports of hacking surged 125% during the first half of 2021.
Who’s to blame for this wave of digital wrongdoing? The answer should be obvious: the keyboard criminals who want to steal their way into ill-gotten gains. And yet, the blame is regularly put on employees.
You unwittingly clicked on a suspect link or made an unauthorised download. We’ve all been there. Human error can strike at any moment, and rarely is there malicious intent lurking in the background. They’re just people, and people make mistakes.
If an organisation is targeting its employees over cyber concerns, it’s doing something wrong. Here’s how to set things right.
Stop the blame game
Perhaps a new employee wants to sync their personal account to a work device, unaware that corporate data will automatically upload in the process. Or maybe it’s a remote working colleague who’s accessing company servers unofficially while at home.
These may sound like minor infractions, but when they come to light, the disciplinary consequences can be serious. A recent study found that almost half of upper-level managers would reprimand an employee over data loss, while 25% would likely fire the staff member in question.
This culture of blame risks creating negativity and bad feeling towards bosses, which, in turn, can lead to reduced levels of productivity. In fact, research indicates that anxiety around hacking and cybersecurity is a greater source of employee stress than owning up to mistakes or sharing private emails with their manager.
Perhaps most damaging, however, is the blame game’s tendency to pit employees against in-house digital security teams. For a company’s cyber defence to function properly, colleagues at all levels must be on the same page and willing to cooperate.
Create a cyber positive environment
Rather than foster a culture of culpability, business leaders must find a healthier, more constructive approach to cybersecurity – one that doesn’t focus on apportioning blame.
Building a positive environment around digital safety starts on day one. Discussions on cybersecurity should be built into the onboarding process for new employees, sending a clear message that IT teams are cyber-allies, not adversaries. First impressions count, so it’s vital that a collaborative tone is struck from the get-go.
While rules should be spelled out, too great an emphasis shouldn’t be put on what not to do. Instead, examples of best practices should be shared, as well as what to do if something suspicious arises online. Keeping an open line of communication is necessary, as well as having an organisational structure in place that values employee feedback. This will ensure that employers are giving the right information to their employees, and in turn, employees won’t be afraid of asking security-related questions.
Get this right, and employees will view their place of work as a safe space – somewhere they feel empowered to ask questions and own up to mistakes.
Train employees to be cyber-defenders
Cybersecurity tuition can’t just be a bullet point of the new employee checklist; it should be a recurring event in every company’s staff calendar.
Studies suggest that nearly two thirds of organisations rely on self-reporting to identify data breaches. With regular and effective training, workers will start to see themselves as part of a protective buffer around the systems they use, not a cyber-liability waiting to go wrong.
Key to this is highlighting that not all data loss incidents are dramatic digital smash-and-grabs, but rather unintentional leaks and mundane cyber-missteps. This point can be driven home with interactive phishing exercises in which employees earn points for good practice.
Take pressure off employees
Although many of us roll our eyes at the possibility of falling for cyber scams, we must acknowledge that if those tricks didn’t work, malicious actors wouldn’t keep trying.
Blaming employees as the ‘weakest link’ is no longer a good enough excuse. Businesses must do better to understand the cyber attacks facing their company and use technology to better secure their systems.
When it comes to phishing, early detection and speedy incident response are imperative to prevent data breaches. There is no one size fits all solution to preventing and mitigating phishing, but security teams can save themselves time and stress by leveraging threat intelligence and establishing stronger filters.
The best defence for organisations to protect themselves from future attacks is to fully understand the risks that they’re facing so that defences can be prioritised moving forward. For example, if a particular campaign is targeting your sector, the adversary is much more likely to hit your company next with the same attack. Organisations need to stay one step ahead – quantify the risk facing their business and prioritise defensive actions accordingly.
It is also vital that a feedback loop exists within a business, where intelligence about threats constantly feeds operations and insights garnered from operations are fed back into the intelligence. Cybercriminals are becoming more sophisticated. Organisations need to demonstrate they are serious about protecting data, keeping their business secure, and developing intelligence-driven security operations to minimise the threats they face.
The blame should no longer lie with employees. Organisations need to step up and educate employees on the right tactics and strategies to keep themselves and the organisation as a whole safe, as well as adopt technologies that will protect their organisation in the long term.