Let’s start with something obvious: cybersecurity is a big problem. It’s also an equal opportunity offender, impacting small businesses, expansive enterprises, government agencies, and nonprofits with frightening frequency.
Last year, there were nearly 2,000 data breaches in the United States, collectively compromising the personal information of more than 400 million people.
In a world where one-third of people say they are online “almost constantly,” and 89 percent of board directors say “digital is embedded in all business growth strategies,” this dynamic can’t be allowed to persist.
Companies are generally aware of the risk. However, they frequently assume that cybersecurity risks result from nefarious global actors working tirelessly to undermine our coveted digital ecosystems. But that’s only part of the story.
Phishing scams, ransomware attacks, malware installations, misconfigured cloud storage settings, and other common cybersecurity vulnerabilities are only problematic because they involve the most frequent weak link: people.
According to Verizon’s most recent Data Breach Investigations Report, 82 percent of data breaches “involved the Human Element, including Social Attacks, Errors and Misuse.”
Specifically, many employees need to follow the carefully crafting cybersecurity policies designed to keep company data and IT infrastructure secure. Understanding the reasons employees violate these policies and the steps companies can take to train them effectively is key to turning cybersecurity liabilities into valuable defensive assets.
Why Are Employees Breaking the Rules?
People are increasingly aware of today’s expansive cybersecurity threat landscape. They want to protect their personal information and expect companies to do the same. However, this mindset often translates to something other than work.
One industry study found that 30 percent of employees don’t think they personally impact their company’s cybersecurity posture. Moreover, less than half of employees say they would report an incident or even know a threat if they saw it.
These employees can be called ignorant insiders. They don’t mean to break the rules, but they don’t recognize the guardrails, so they blur the lines between personal and professional technology, fail to follow digital hygiene standards and fall for phishing scams.
Ignorant insiders are undoubtedly a company’s most significant cybersecurity vulnerability. A research study by the National Science Foundation explains, “most cybersecurity compliance failures result from intentional but harmless attempts by employees to perform their work-related tasks.”
Of course, not all employees are so innocent. Some people will intentionally undermine cybersecurity for financial gain, professional opportunities, or even just for fun. These malicious insiders are few and far between, but they can be incredibly destructive because they have privileged access to company data and IT infrastructure.
While insider threat analysis tends to focus on these two groups, the latest research illuminates a third cohort worthy of attention.
A study published in The Harvard Business Review found that “much of the time, failures to comply may actually be the result of intentional yet non-malicious violations, largely driven by employee stress.”
With 40 percent of workers saying their jobs are “very or extremely stressful” and 25 percent identifying their job as the “number one stressor in their lives,” overtaxed employees represent a cybersecurity vulnerability that companies can’t afford to ignore.
The costs and consequences of a cybersecurity incident demand action. Fortunately, employee training works, developing skills and competencies and reinforcing preventative behaviors that keep companies safe.
Employee Training Promotes Compliance
For companies looking to implement or rejuvenate their cybersecurity training initiatives, here are three ways to begin that process today.
Focus on What Matters Most
Employees don’t need to understand every cybersecurity risk to be effective defensive assets. Rather than inundating everyone with excessive information, focus on what matters most.
In 2023, this includes the following:
● Phishing scam awareness. Billions of phishing scams are sent every day. While AI-powered filtering software will keep many of these emails out of employees’ inboxes, some will inevitably slip through. When employees can identify phishing emails, they can render them harmless.
● Digital hygiene best practices. Regularly updating account passwords, differentiating personal and professional technology, and enabling two-factor authentication can go a long way toward preventing threat actors from compromising accounts.
● Reporting hierarchy. Safe companies will rely on their experts, and employees need to know who to contact when reporting a potential problem. By ensuring every employee can access the right person at the right time, companies best utilize their cybersecurity talent to protect their digital assets.
Embrace Accountability
Accountability is a crucial aspect of employee cybersecurity training because it fosters a sense of responsibility and ownership among employees when it comes to maintaining the security and integrity of a company’s digital assets. By promoting accountability, companies can encourage employees to be more vigilant and proactive in detecting, reporting, and mitigating potential cyber threats.
Accountability involves a combination of human intelligence and software solutions that evaluate employee behavior and respond accordingly. Implement monitoring systems to track employee adherence to cybersecurity policies and procedures. This will help identify areas where additional training or reinforcement is needed. This data can help companies know which employees follow the guidelines and which ones require remediation.
Combining employee training with accountability turns creates a culture of high expectations where everyone is empowered and expected to support cybersecurity outcomes.
Respond to the Latest Trends
Threat actors are always looking to exploit new vulnerabilities. Regularly update and refresh employee training to keep up with evolving cybersecurity threats and best practices. This will help maintain a high level of awareness and preparedness among the workforce.
Teaching to Promote Security Outcomes
The cybersecurity landscape is constantly evolving, and companies must recognize the significant role that employees play in maintaining a secure digital environment. As Isaac Kohen highlights, a comprehensive approach to employee training and fostering a culture of accountability can transform employees from potential liabilities into valuable defensive assets.
Companies can effectively mitigate cybersecurity risks and safeguard their digital assets by focusing on the most relevant threats, embracing accountability, and staying up-to-date with the latest trends. A well-trained and accountable workforce is the foundation for a secure and resilient organization in today’s highly interconnected digital world.