There's a gap between information security awareness and action.
Organizations are spending more time and resources on security awareness training than ever before. In late 2016, Gartner analysts predicted that annual security product and services spending would top $81 billion globally. Despite the fact that companies are putting budgets and hours towards training their people, human behavior might not be improving.
The 2016 Verizon Data Breach Investigations Report (DBIR) found that human behavior was behind the majority of security incidents with data loss. Twenty-six percent of employee-caused incidents involved sending sensitive info to the wrong person. The DBIR also indicated that 23% of phishing recipients opened a malicious email, while 12% of phishing targets went on to open malicious attachments or links.
If humans are receiving all the right knowledge to avoid risky behavior but are still causing security incidents, what needs to change?
Your Employees May Be Too Apathetic Towards Information Security
When knowledge results in changed behavior, that's action. When knowledge isn't transferred into choices, it's known as apathy. If you've ever wondered whether apathy is localized to your organization, it may help to know that some data indicate it's pretty widespread. In 2015, a study by SailPoint indicated that 1 in 5 employees globally would sell their work passwords for the right price—and for some employees, the right price was as little as $150.
Apathetic employees might not actually hand over their login credentials to cybercriminals, but they're a lot less likely to pull from their information security awareness knowledge when it comes to daily behaviors. Apathy isn't a simple issue, and it's also not one that IT can tackle by themselves.
Join us as we review how to fight employee apathy at your organization with collaboration, culture, and the right IT technology.
1. Join Forces with HR to Address Engagement Issues
"Employee engagement" is a term that has received a lot of attention in the business management space in the past year. 2016 data from Gallup indicates that 32% of employees in the U.S. are engaged in their work, which is defined as being "involved in, enthusiastic about, and committed to their work and workplace." The drop in average engagement is so severe, that Gallup analysts are referring to it as a "crisis."
While a lack of dissatisfaction with the workplace is hardly a battle IT can fight alone, engagement is an IT issue because disengaged employees can exhibit apathetic behaviors towards security.
If IT leadership were to work with human resources and other functions to improve engagement, what would that look like? Deloitte research recommends improving engagement with the following actions:
- Help employees find meaning through work.
- Elevate encouraging and inspiring leaders.
- Improve workplace flexibility, diversity, and inclusiveness.
- Establish opportunities for growth.
- Develop "vision, purpose, and transparency".
Moving towards happier, more productive employees certainly is not something IT can accomplish on its own. However, if engagement isn't a priority at the workplace and security behaviors are suffering, supporting a company-wide movement toward engagement could reduce security risks.
2. Quickly Identify Disgruntled Employees
The vast majority of human error that results in a data breach is caused by apathetic employees who aren't paying attention or applying their knowledge. However, not all security incidents are a mistake. Disgruntled employees sometimes cause egregious breaches with the intent to behave in criminal ways.
Can apathy lead to disgruntled behavior? With the right mix of cultural and personal elements, it is possible. In the past few years, unhappy or angry employees have contributed to data loss at organizations like the Korean Credit Bureau (KCB), Sage, and EnerVest. In the instance of KCB, CNN stated in 2014 an estimated 40% of Korean citizens were impacted over the course of several years.
To learn more, we recommend 8 Examples of Internal-Caused Data Breaches.
Employees with access to sensitive data, such as members of the IT or leadership team, may present an elevated risk if they become disgruntled with their organization. The topic of disgruntled worker risk is another concept that IT cannot fight alone--it's a company-wide effort that should involve collaboration between leadership.
However, monitoring logs and identifying unusual behaviors can be an important first step toward mitigating damage if an employee decides to lash out. Finally, when employees are terminated, IT should work to remove access immediately, and shut down accounts, to ensure data is not taken off the premises.
3. Use Technology to Support the Right Behaviors
A culture that supports engagement with work and information security is a company-wide mission that probably can't be accomplished overnight. IT leaders must play an active role in collaborating with HR and other members of the leadership team in creating a culture that supports happy and secure talent. However, even in the healthiest organizations, human error, and the occasional disgruntled employee may still be inevitable.
IT should look towards technologies that can minimize the impact of mistakes or deliberate damage. With the right technical safeguards, you can protect against mistakes and quickly clean up damages. Technical safeguards could include:
- Policy-based administration for access and identity management
- Smart email tools for sandboxing, filtering, and preventing the release of sensitive information
- File integrity monitoring to establish accountability
IT can work to educate employees and help resolve cultural issues, but they cannot fix deep-seated issues of apathy within an organization. Achieving cultural change can be a long process that involves cross-functional collaboration between tech, HR, and other leadership.
January 24, 2017