As a result of cyberattacks occurring more frequently and at a greater scale, many organizations have invested largely in technological solutions. However, in many cases, attacks are not the result of external bad actors but people inside the organization, to some extent.
While IT experts work harder to develop better, smarter, and safer technical systems, there is one risk factor they can’t program away: humans. Especially as remote work becomes more prevalent and thus access to secure systems becomes more distributed, one wrong move on the part of an employee can spell disaster.
What’s more, there has been a trend in organizations putting the focus on tech-focused efforts with cybersecurity initiatives targeting employees as potential attack vectors. These programs can be problematic in that they generally assume that employees break security protocols out of either ignorance or malicious intent. Conversely, research indicates that much of the time, failures to comply may actually be the result of intentional yet non-malicious violations, largely driven by employee anguish.
That said, here are some ways employers can get in front of this issue:
It’s easy to think of security as secondary to productivity. Under normal circumstances, that’s not necessarily a problem, as employees are likely to be able to handle both activities. That may be no longer the case. Pandemic-induced stressors can make it harder to maintain productivity. The result is that security tends to be an afterthought when they have to execute on mission-critical critical tasks.
In response, managers should recognize that job design and cybersecurity are inherently intertwined. The reality is that compliance with cybersecurity policies can be time and resource-intensive. That reality should be considered and staff should be incentivized alongside other performance metrics. Expectations around workload might need to be adjusted, too.
What’s more, managers should work to identify and reduce sources of stress for their teams. Keep in mind that working under more-stressful conditions can affect consistency and adherence in following security protocols. As remote work becomes more prevalent, supervisors should be mindful of the psychological weight employees carry in working under systems that monitor them. For instance, surveillance systems that seemed reasonable in the office might feel intrusive at home. This added pressure might indirectly cause them to violate certain protocols.
On the surface, you might think it’s encouraging if and when employees want to help one another. But unfortunately, good intentions can come at a cost: Per one study, around 18% of policy violations were motivated by a desire to help a co-worker. The pandemic has only brought more challenges to the fore and at the same time has created even more opportunities for well-intentioned employees to “help” their peers in ways that actually expose their employers to potential threats. Hackers are tuned into this reality and they will often intentionally use social engineering tactics that take advantage of employees’ willingness to bend the rules if they think it’s for the greater good.
To that end, managers must not only implement security policies specifically designed with these tactics in mind— they must also work to reduce the impact of these measures on employees’ workflows while ultimately working to increase employee compliance.
Here’s an example that might resonate with you. As organizations have moved to remote work as the norm, in-person communication has been significantly reduced. Recognizing this as an opportunity, hackers have executed business email compromise (BEC) scams. In such a scenario, an attacker poses as a supervisor or close co-worker and emails employees with an urgent request to transfer funds. Feeling pressure and a desire to help a colleague can push employees to make exceptions, breaking protocol. They might make transfers without properly verifying the requests. Shielding your organization from these sorts of attacks means not just instituting a verification policy for large transactions, but also educating employees on why the policy matters and minimizing the extent to which it creates more legwork.
It’s a hard pill to swallow: In the modern cybersecurity landscape, every employee can be a liability. To keep their organizations safe, technical and business leaders alike must understand the circumstances in which employees might let their guards down and open the flood gates to attackers.
On that note, employees should be trained that the best information comes from reputable sources. They should know how to stay informed on the latest security best practices to ensure they’re in compliance.
Even with this education comes vulnerabilities. Cybersecurity requires all hands on deck — and it simply cannot be ignored in 2022. If you don’t have the resources for an in-house security team, a third party can provide you with the expertise, experience, and technologies that can protect your firm against the growing range and scope of cybersecurity threats.
Ambassador Solutions has been a trusted talent advisor to tech savvy clients since 1989. For help finding the true IT pros needed to build your tech team, please contact us at:
AmbassadorSolutions.com or 317-571-6838 (press 1 for sales).