Per a report released in 2019 by cybersecurity software provider Kaspersky Lab, approximately 90 percent of corporate data breaches are either directly or indirectly the result of human error. If you have been keeping up-to-date on current events, this should come as no great surprise. It’s been common knowledge for some time that, where cybersecurity is concerned, your employees will always be your weakest link.
Criminals also know that not every employee is well-versed when it comes to internal cybersecurity, which is why it’s easier to fool a hapless employee than it is to break through an expensive firewall. That’s why, as indicated in the 2020 Verizon Data Breach Investigations Report, credential attacks, social engineering, and human error together account for 67 percent of all data breaches. With a percentage of that magnitude, it shows that cybersecurity is a topic that needs to be discussed more often as well as having a larger focus while onboarding your staff.
To address this, you and your leadership team need to focus on your security processes and procedures. You need to ensure you have the proper policies and security measures in place around employee training and acceptable use. And, perhaps most importantly, you need a response plan to help mitigate the damage in the event that someone does make a mistake. This might take a bit to get off the ground at the beginning, but the amount of time it takes to put a response plan together, will save you even more time in the end.
Imagine if you experienced an attack in a couple of months and had to come up with a plan from scratch since you didn’t have one beforehand? That sounds extremely counterintuitive and something that would cause a major headache/stress.
It’s important to note that the plan you come up with should not include disciplinary measures. On the surface, you may think that this is a reckless approach to take, as well as counterproductive. After all, shouldn’t an employee be held accountable for their mistakes, particularly if those mistakes stem from carelessness?
As it turns out, no.
In a virtual workshop released in early August, AI-driven cybersecurity provider, Cybsafe, revealed that far from reducing the likelihood of errors, punishment is counterproductive. Working with the Centre for Research and Evidence on Security Threats (CREST), Cybsafe directly examined the impact of disciplinary action on employees. It increases anxiety levels, reduces productivity, and can even be potentially damaging to mental health.
Worse still, it can reduce your security posture. An employee who knows they’re likely to be punished for accidentally clicking on a phishing link is much less likely to tell someone about it. And as you well know, in a cyber incident, timing is everything.
“People fall for phishing attacks and other cybersecurity mistakes because they’re human and because they have been trained to click links,” Dr. John Blythe, Cybsafe’s head of behavioral science, explained in the workshop. “Bad habits are difficult to shake, especially when today’s phishing attacks can be highly convincing. Formally punishing staff for making cybersecurity slips is, in the vast majority of instances, a problematic approach – it’s unfair and diminishes productivity.”
You need to understand that in 2020, cybersecurity is not the sole domain of your IT department or security team. It requires participation from every department and at every level of an organization. Each employee must know the role they play in protecting corporate assets as well as understand how to recognize and avoid some of the most common attack methods.
More importantly, they must be willing to collaborate and cooperate with your security team, something which is impossible if you’re doling out punishments left and right, instilling fear amongst your employees. So, instead of disincentivizing bad behavior, incentivize good behavior.
Call out employees who perform exceptionally in simulations, give staff an opportunity to become more involved in corporate security, and ensure that, if a mistake doeshappen, the employee responsible will be unafraid to notify IT immediately.