Technological solutions can give your organisation a substantial level of protection against cyberthreats. However, they aren’t infallible.
Many cyber criminals exploit the chinks in tech’s armour, often by using your own employees as their entry point into your systems.
In fact, the Verizon 2021 Data Breach Investigations Report found that 85% of data breaches involved a human element.
These nefarious opportunities are further increased when you have remote or hybrid working patterns and employees using personal devices.
Therefore, it’s critical to understand how your team should be trained to protect your business from cyberattacks.
We’ve teamed up with our HR partners, GF HR Consulting, to explore what this means for employers.
Common cybersecurity issues caused by employees
These are some of the most common cybersecurity incidents:
- Revealing personal or company data as a result of opening phishing emails.
- Downloading malicious programs from an email or website.
- Lost/stolen devices or system access information.
- Social engineering – where an employee is persuaded to breach security guidelines.
- Using personal devices which don’t have the appropriate security software installed (eg phones or USB sticks).
- Emailing data to the wrong recipient(s).
Mitigating the risk
The best way to deal with any problem is to stop it happening in the first place. There are a range of tactics you can use to minimise the risk of employees causing cybersecurity issues.
Lead by example
Your leadership team needs to ensure that there is a culture of good cybersecurity practice throughout your organisation.
In their working paper For What Technology Can’t Fix: Building a Model of Organisational Cybersecurity Culture Keman Huang and Keri Pearlson state:
To make this happen, your leaders need to have a thorough understanding of cybersecurity, involvement in cybersecurity activities (eg attending training, communicating policies) and make it a key component of their strategies and decision making.
Cybersecurity training is essential for every employee. It should be provided for any new joiners and repeated every six months across the organisation. This might sound like a lot of training, but cyberthreats change constantly, so it’s vital that your people are aware of the latest developments.
Rather than just dryly listing threats, the training should focus on changing the habits of employees that cause risks. Their knowledge of cybersecurity isn’t the answer to reducing the risk – it’s adapting their behaviours.
For example, if an employee receives 50 emails a day with invoices, it becomes automatic to click to open the attached invoice. This is difficult behaviour to unlearn in order to exercise more caution.
Training should also focus on the specific threats your organisation is likely to face. For example, it should have a different slant for companies with a large number of salespeople working remotely and often on mobile devices, compared to a small business which operates online sales from a single site.
You might consider simulating cyberattacks, such as phishing emails, to keep your teams alert to the risks.
Not only will good cybersecurity training reduce the risk of an employee causing a breach, it can also turn your team into an “early warning system”, alerting you to the possibility of an attack before it happens.
Make it easy to report a cyberthreat
With the right training, employees should be able to spot most cyberthreats. It’s important to make the next step easy for them – that of reporting the threat.
There are a few reasons why employees might be reticent to raise the red flag:
They’re not sure if it’s a threat
It’s important in training to emphasise that no-one will judge them if they mistake a perfectly innocent client email for a malware attack.
They’re too busy
Your organisation needs a quick and easy way for employees to report a threat. If you expect them to spend more than a minute alerting the appropriate people then you significantly reduce the chances of them doing so.
They don’t want to “dob in” a colleague
If an employee suspects a colleague has caused a security incident they can feel split loyalties and find it difficult to report the problem.
This situation is worsened when the person they are suspicious of is at a more senior level in the organisation.
It is important that your team feels comfortable making this type of report. Being confident they know what will (and won’t) happen next can help with this.
They’re worried they’ve done the wrong thing
This is the hardest nut to crack – an employee who’s already replied to a phishing email or clicked on a dodgy link. Their anxiety about the consequences might prevent them from telling anyone about it.
It’s essential that employees understand that, firstly, the sooner they report it the more likely their IT department can prevent the attack happening. Secondly, it needs to be made clear that the consequences of making a mistake will be fair and proportionate – basically reassuring them that they won’t get sacked!
An effective cybersecurity policy will offer helpful guidance to employees and make it clear what is expected of them.
The policy should include, but not be limited to:
- The storage, access and use of confidential data.
- Protection of company devices.
- Use of personal devices.
- Guidance for emails received.
- Guidance for downloading files and installing new applications.
- Password management.
- Process for transferring data.
- Reporting of any security threats, including stolen equipment, wrongdoing or approaches from third parties.
- Duty to disclose data breaches.
Most importantly, the policy should outline why this is important and the implications of any incidents for both the company and individuals.
This policy should also form part of your contract of employment (including for contractors). This emphasises the importance of cybersecurity to employees and also gives you the necessary legal foundations should you need to invoke disciplinary action against a repeat offender.
This should extend to ex-employees and employees on furlough/garden leave.
Dealing with employees who cause cybersecurity incidents
Unless you suspect a deliberate act, simply disciplining an employee who causes a cybersecurity incident is not the best approach.
To use an analogy, if someone falls down an open manhole, you don’t just blame them and move on. You put a fence and signs around the manhole to make sure the same thing doesn’t happen again.
Assuming that you already have company-wide cybersecurity training in place, you should consider additional training for anyone who causes a security incident.
More personalised training can take into account the security issue in question and also be adapted to the individual employee’s capabilities and learning styles.
First unintentional breach
On top of the additional training, a verbal warning may be an appropriate action for a first offence. Even security breaches which cause no financial loss or long-term damage should be taken seriously, to emphasise to the employee the importance of cybersecurity.
Repeated unintentional breaches
Should an employee repeatedly cause security issues, then additional training should still be provided. However, this may need to be coupled with more serious disciplinary action.
Each case should be treated individually:
- In some cases, an amnesty might be appropriate, particularly if it is not a deliberate attack by the employee and if their cooperation is needed to investigate the breach.
- In others, a formal warning, suspension or even dismissal may be a proportional response.
In some rare cases the security issues may have been caused by an at best negligent and, at worst, deliberate act by an employee.
To go back to our manhole analogy, this is where someone has ignored the sign, climbed over the fence and jumped in on purpose.
Often this is an emotional act (eg revenge against their employer) or for financial gain. It’s also possible that they are acting on behalf of a competitor or other third party who has persuaded them to sabotage their organisation.
In the vast majority of cases intentional breaches will result in immediate dismissal.
High risk employers
Organisations operating in highly regulated industries or who are part of a critical infrastructure, should consider themselves to be at additional risk of intentional breaches.
In these cases, pre-employment screenings and continuous security monitoring should be particularly intensive.
The potential cost of ignoring the problem.
The clever folks at Verizon have done some calculations in their Verizon 2021 Data Breach Investigations Report to estimate the average costs of data breaches (ie security incidents that lead to data loss).
They found that the median cost was $21,659 (£16,155). In 95% of cases the cost was between $826 (£616) and $653,587 (£487,507).
And it’s not just about short-term losses. Verizon found that breached companies listed on NASDAQ were still underperforming by about 5%, six months after the breach.
What this makes clear is that the impact of not taking cybersecurity risks seriously can be very damaging for your business.
Reduce your organisation’s cybersecurity risk
We offer a range of solutions to minimise the risk of cyberattacks:
- Diagnostic assessments and strategy recommendations – to review where you are, where you should be and how to get there.
- Security system implementations.
- Cyber Essentials training for your management team.
- Cyber Awareness training for your employees.
- Backup and disaster recovery solutions (just in case).