As Per a report released in 2019 by cybersecurity software provider Kaspersky Lab, approximately 90 percent of corporate data breaches are either directly or indirectly the result of human error.
This should come as no great surprise. It’s been common knowledge for some time that, where cybersecurity is concerned, your employees will always be your weakest link.
Criminals know this. It’s easier to fool a hapless employee than it is to break through an expensive firewall. That’s why, as indicated in the 2020 Verizon Data Breach Investigations Report, credential attacks, social engineering, and human error together account for 67 percent of all data breaches.
To address this, you need to focus on your security processes and procedures. You need to ensure you have the proper policies in place around employee training and acceptable use.
And, perhaps most importantly, you need a response plan to help mitigate the damage in the event that someone does make a mistake.
This plan should not, however, include disciplinary measures. On the surface, this may seem counterproductive. Shouldn’t an employee be held accountable for their mistakes, particularly if those mistakes stem from carelessness?
As it turns out, no.
In a virtual workshop released in early August, AI-driven cybersecurity provider Cybsafe revealed that far from reducing the likelihood of errors, punishment is counterproductive.
Working with the Centre for Research and Evidence on Security Threats (CREST), Cybsafe directly examined the impact of disciplinary action on employees.
It increases anxiety levels, reduces productivity, and can even be potentially damaging to mental health.
Worse still, it can reduce your security posture. An employee who knows they’re likely to be punished for accidentally clicking on a phishing link is much less likely to tell someone about it. And as you well know, in a cyber incident timing is everything.
“People fall for phishing attacks and other cybersecurity attacks because they’re human and because they have been trained to click links,” Dr. John Blythe, Cybsafe’s head of behavioral science, explained in the workshop.
“Bad habits are difficult to shake, especially when today’s phishing attacks can be highly convincing. Formally punishing staff for making cybersecurity slips is, in the vast majority of instances, a problematic approach – it’s unfair and diminishes productivity.”
Understand, in 2020, cybersecurity is not the only domain of your IT department or security team. It requires participation from every department and at every level of an organization.
Each employee must know the role they play in protecting corporate assets as well as understand how to recognize and avoid some of the most common cyber attacks.
More importantly, they must be willing to collaborate and cooperate with your security team, which is something impossible if you’re doling out punishments left and right.
Call out employees who perform exceptionally in simulations, give staff an opportunity to become more involved in corporate security, and ensure that, if a mistake does happen, the employee must notify it immediately.