The Path to Poor Security Is Paved with Good Intentions
Most employees are hard-working, engaged, and eager to please in their roles.
Many go out of their way to do their jobs effectively, efficiently and as best as possible.
Yet, therein lies a potential threat.
How would you respond if you found out that your employees were the most significant contributors to poor security in the workplace? You’ll probably be astounded.
Employees can often view security policies as roadblocks to their progress. So instead of working with these protocols, many look for shortcuts to bypass them.
In a CEB study, around 90% of workplace policies are being violated by employees.
So why do employees behave in this manner? You’ll be surprised to know that this habit arises from needing to do their job quickly and efficiently.
Often referred to as “the path of least resistance”.
In a result-oriented workplace, employees are usually stressed and pushed to deliver their best. With the pressure of deadlines, meetings and everything else in between, employees start looking for ways that allow them to accomplish their tasks as quickly as possible.
At the end of the day, they’re producing results, right?
So, they see no harm in the way they are working. However, violation of workplace policies by employees harms the business. It also makes the risk of insider threats becomes higher.
The person’s intent is good, but the damage that their actions can be severe.
According to the UK Information Commissioners Office (ICO), human error is attributed to over 90% of cyber breaches.
Insider breaches arise because of human errors, but they may also result from wilful negligence or ignorance on the employee’s part.
Surprisingly, some employees are aware that their actions aren’t authorised. But as long as the work gets done quickly, taking the shortcut is acceptable to them.
And some employees are utterly oblivious to their behaviours and potential actions that most likely place their organisation to risk.
In my experience, most insiders want to do the right thing but fail to do so.
Here are three types of fallible insiders.
- Careless insiders – Unfortunately, some employees are careless, neglecting to practice even minimal best practices to maintain optimal digital hygiene, which can keep the online environment safe for everyone. For example, clicking on a Phishing link, opening attachments that are malicious, using weak and the same password for all of their applications.
- Ignorant insiders – For most employees, cybersecurity and data privacy are not top-of-mind as they execute their day-to-day responsibilities. They don’t truly understand or appreciate the repercussions of a data breach, and they wouldn’t know how to respond to a threat even if they did identify one. No matter how much cyber awareness training that you provide, they will not understand nor comply.
- Negligent insiders – These are insiders who fail to act correctly despite knowing better. Employees can be negligent when they are overworked. They might also be preoccupied, overly stressed and disengaged because they just don’t like working there. For example, they might send out sensitive information to the wrong email user to a cloud storage provider against corporate policies, simply to complete work from home, or they may send sensitive personal information via email.
Example: IRS employee took home data on 20,000 workers at the agency
An IRS employee took a personal thumb drive home which contained the social security numbers, addresses, contact information and other sensitive data of over 20,000 people. This included data of all contractors and current and former workers of IRS.
Investigation showed that the device was used on the personal home network of the employee, which was not secure and placed the data at risk.
Luckily, the thumb drive was not used for malicious purposes, and no misuse of the data was found.
Even though IRS does have precautions and policies in place, the employee had chosen to overlook them so that they could work at home.
While looking at the intent behind the action helps you understand its motivation, it still doesn’t answer why your employees are making mistakes.
To get to the root of the problem, you have to look for the following signs of employee behaviour in the workplace to understand why they behave the way they do.
Is it because they:
- Have huge workloads with tight deadlines?
- Lack of regular policy and procedure training?
- Have poor environment working conditions?
- Are bullied and harassed at work?
- Find work tiresome and boring?
- Find security practices a hassle and a roadblock to their productivity?
- Stressed at work?
- Are they negligent and careless in their behaviour?
- Find it difficult, confusing and complex to follow organisation policies and controls?
- Lack of perceived organisation support?
- Have poor personal habits – alcoholic, drug user, gambler and other forms of predisposition?
- Have health problems such as sleep difficulties can also cause poor performance at work?
All these actions can significantly influence how the employee performs, act, and conduct themselves.
According to Gallup’s State of The Global Workplace, only 15% of employees are engaged in the workplace.
Employee engagement reflects the involvement and enthusiasm of employees in their work and workplace.
Employees can become engaged when their basic needs are met and when they have a chance to contribute, a sense of belonging, and opportunities to learn and grow.
The high level of employee disengagement is psychologically unattached to their work and organisation. Because their engagement needs are not fully met, they’re putting time but not energy or passion into their work.
Every day, these workers potentially undermine what their engaged co-workers accomplish.
Every day, these workers place their organisation at risk due to their “detachment” to work.
Paying attention to your workforce
Data breaches occur because organisation management and executive are not paying enough attention to the workforce.
It is essential to strike a good balance with your workforce. If they are overworked and stressed, they will look for shortcuts to accomplish their tasks. Beyond that, they will most likely burn out.
In due time, they will most likely leave the organisation. And if it hasn’t already happened, they will cause intentionally or unintentionally security incidents. This scenario is a recipe for disaster.
How are you engaging with your employees? How are you making their job more involved? How are you supporting them? And how do you encourage greater cooperation, trust and teamwork within your organisation?