Despite eye-catching headlines about the dangers of artificial intelligence and supply-chain vulnerabilities, an organization’s own employees are often still its biggest cybersecurity weakness. Attacks like social engineering and spear-phishing may not be the flashiest or most exciting threats to defend against, but they can still devastate a business.
The employee attack surface isn’t going to disappear anytime soon. In fact, if current trends continue, it’s likely to increase. The well-established practice of remote working and BYOD approaches, have created not just physical challenges around securing devices remotely, but also more intangible difficulties around maintaining a culture of cybersecurity hygiene across a dispersed workforce.
The result is, by 2025, Gartner predicts that over half of significant cyber incidents will be caused by either human failure or a lack of talent. And that gives a human resources department a central role in an organization’s cybersecurity.
Contents
Traditional Approaches Don’t Work on Real, Living Humans
When it comes to infrastructure and network security, CISOs know what they’re doing. Patching hardware vulnerabilities when you know about them, performing risk assessments to stay ahead of the curve, and using established frameworks like zero trust to lock down what you can. But these kinds of approaches fall short when it comes to humans and their intricate multi-layered psychology . You can’t patch an employee like an application, nor can you monitor their every move like a network endpoint.
In a healthy business, employees are not mindless drones who’ll never deviate from a set path, and nor would you want them to be. It’s often an employee’s unique perspective and approach that can make them so valuable to your organization as a whole.
Nor can employees be completely “locked down” without the risk of unintended consequences. Zero trust has rightly become a gold standard approach for cybersecurity to deal with increasingly complex network environments. But no business can operate without the trust of its employees, nor can it work without trusting them in return.
You can’t patch an employee like an application, nor can you monitor their every move like a network endpoint.
This makes a balanced approach essential. If a business is too strict with its employees, the relationship risks becoming antagonistic, and workers could get frustrated and try to find unofficial workarounds. For example, a user might start using unapproved software or upload files to personal cloud storage services to do their job. This creates a problem sometimes referred to as “shadow IT,” which can leave businesses in an even worse position because security policies are being skirted entirely. Or, if forced to change their password too regularly, employees may fall back on simpler, easier-to-guess security credentials or even writing their password down and putting it under the keyboard. On the other hand, lax security policies mean the risk of social engineering and phishing attacks is only going to increase.
Trusting Employees in a Zero-Trust Environment
According to survey data from Ernst & Young, 53 percent of US employees are worried that their organization will be the target of a cyber-attack. But a second, and more worrying, figure comes from Gartner, who reports that 69 percent of employees have bypassed their organization’s cybersecurity guidance in the previous year, and that 74 percent would be willing to do so “if it helped them or their team achieve a business objective.” Infringements might be as simple as connecting a corporate device to a personal Wi-Fi hotspot to bypass a seemingly inconvenient firewall or using a personal device to photograph and share a sensitive document.
These stats read as contradictory but can be helpful to bear in mind as you navigate the balancing act of cybersecurity training. You should take solace in the fact that a majority of employees (in theory at least) understand the need for cybersecurity policies. But know that if your policies get in the way of their work, then a larger majority will be willing to bypass them.
Employees be completely “locked down” without the risk of unintended consequences.
The first step on this tightrope is to minimize the mistakes that are possible for an employee to make in the first place. Employees should have to, for example, authenticate their identity to access critical applications and data, and be restricted entirely from accessing important resources that they don’t need. Strong multi-factor authentication should not just be encouraged across most employee accounts, but actively enforced. Checks and redundancies need to be in place to spot serious problems before they can have an impact.
Training
You’ll never be able to fully prevent employees from making mistakes — at least not without placing the kinds of onerous restrictions on them that’ll make it difficult for them to perform everyday tasks. That’s where HR and training comes in so your employees both understand the correct approach to cybersecurity training and, perhaps more importantly, understand the reasons why your cybersecurity policies exist in the first place.
For each and every employee, this process should start on their first week at the company. During onboarding, new employees should ideally go through an interactive training session to remind them of their important role as the company’s first line of cybersecurity defense. Consider this your opportunity to get in and establish good habits before an employee has the chance to develop bad ones. Offer clear examples of what threats exist to the organization, and clear steps to take if they see it happening.
A majority of employees understand the need for cybersecurity policies, but a larger majority will be willing to bypass them if they get in the way
Remember that you can’t safely assume your employees know about cybersecurity when even some of the smartest IT and cyber professionals can make mistakes that put the company in jeopardy. For example, the Colonial Pipeline ransomware attack, which resulted in the company making a ransom payment of $4.4 million, is believed to have originated from just a single compromized password.
Then, the challenge becomes making sure bad practices don’t creep in over time. Employees need to both continue to remember your cybersecurity policies and maintain the enthusiasm to comply with them. Again, a balanced approach is essential. Give employees too much training and you risk hitting a point of cybersecurity fatigue. Give too little and you can’t blame them for forgetting.
A good rule of thumb is to aim for some kind of training or awareness event once a month. This sounds like a lot, but it doesn’t have to be as exhaustive as a full training course or seminar. It might be as simple as an sending an email to remind them of important policies, conducting a phishing test, or even rolling out some kind of reward program to acknowledge the efforts of employees who go to the effort of reporting malicious events or phishing emails. Being a cyber-conscious employee can sometimes feel like a thankless task, but with some effort on the part of HR it doesn’t have to.
To conduct this ongoing training, it makes sense for HR to work in close collaboration with IT both to avoid doubling up, and to benefit from both teams’ expertise. An IT department can be depended upon to have the technical expertise, but HR can play an important role in knowing how best to impart this to employees by using principles of adult learning and tailoring training to the culture of the organization. Simply reiterating your policies in a glorified lecture is unlikely to stick, but something more interactive that gets staff actively participating has a better chance of success.
No training and awareness campaign is going to be perfect, but so long as you’re open to adjusting your programs based on performance and feedback your organization’s cybersecurity culture should be left with a strong foundation.
A Culture of Fallibility
Even with the best policies and training measures in place, your employees are ultimately human. With mistakes, it’s a question not of “if” but of “when.” Businesses need to have not just the physical processes in place to deal with this, but more importantly a culture that encourages employees to speak up when problems arise. I’ve taken to calling this kind of company culture a “culture of fallibility.” In other words, it’s an environment that accepts that people are human and will make mistakes and makes allowances for this.
At the risk of once again equating human employees with IT hardware, a server that failed to log an issue for 24 hours would be considered grossly inadequate. Employees need to feel empowered to report problems the second they’re spotted without fear that doing so will cast any doubt upon their competency. To be clear, you don’t want to go too far and risk a culture of fallibility turning into a culture of cybersecurity complacency, but it’s important to find a balance.
Once they do decide to report an issue, there are more tangible processes you can put in place to make the process as quick and as simple as possible. Consider placing a link to a reporting tool prominently on the company intranet and designing the user experience to make it satisfying to use whether that’s with sound, animation, or a speedy human acknowledgment that a report has been received.
A Culture of Empowerment
Security professionals tend to look at everything through the lens of threat and risk, even when it comes to the way they treat and trust employees. While zero-trust principles are critical for the security of computer networks and IT systems, a zero-trust culture in your company risks inadvertently increasing your risk of creating insider threats. Meanwhile a healthy company culture where people want to work, are empowered to do their job, and feel appreciated, lessens the likelihood that your employees will inadvertently take some sort of action that will harm the company. These acts of harm can range from committing an act of fraud, stealing company data, or any other number of acts that have happened to various companies over the years.
When we create a “zero-trust culture,” people don’t feel empowered, they don’t feel appreciated, and they often wake up hating the work they are about to do. This type of environment is toxic both for the overall productivity and output of the company, but also to the security of the organization. The more angst found among your staff towards the business and their job, the more likely it is that they will commit some act as an “insider threat.”
As managers and leaders, even if we implement technical zero-trust solutions that behind the scenes limits the trust we place on employees — such as blocking on-line file storage sites that are not approved — we can’t let that fall over into how they are treated or how they feel. We need to walk a fine line between securing the environment, while ensuring the employees feel free and empowered to excel at their work.
Your Biggest Attack Surface Is Un-Patchable
Given the current threat landscape, a business’s employees are arguably its single biggest cybersecurity weakness. That makes HR an essential part of an organization’s cybersecurity process, as it works to train employees on the risks they face, and how they should respond when problems arise.
Addressing these issues relies on a company’s IT and HR departments working in sync and recognizing the expertise that each have to offer. IT’s role is obvious given its technical expertise and preexisting cybersecurity role within the company, but HR’s role shouldn’t be understated thanks to its knowhow around employee training, adult learning, and culture.
Perhaps the most important step, however, is recognizing that even the best-trained employees will always make mistakes. Sometimes these mistakes can be caught with an effective series of checks, balances, and redundancies, but when those fail it’s important that employees feel able to admit when something’s gone wrong.