Why Security Shouldn’t Only Fall on Employees

By Amit Bareket, Co-founder and CEO, Perimeter 81

As each day passes by, the news of a new data breach grabs the latest headlines. While there could be many reasons why a breach occurs from stolen credentials, supply chain attacks, or malware, however on many occasions employees are seen as the culprit.

According to an industry report by Shred-it, over 47 percent of executives have said that human error is the cause of a data breach at their organization. The security sector is quick to blame simple mistakes by employees as the reason for breaches, but are they the ones to blame.

User-Friendly System In Place  

The idea of shared reasonability in information security is not new. Organizations could have a top security team in place and it is still not enough against attacks that target employees and not the networks or resources of an organization. The idea of challenging cybercriminals to attack your organization’s employees needs to start with integrating the shared responsibility model with maintaining the proper levels of security hygiene. Security teams can put the right policies in place to balance out potential attacks but employees are the front lines of defense when a hacker is trying to exploit an organization.

According to Aberdeen Group’s research, by adopting security awareness training programs, organizations can see a 70% decrease in social engineered cyberthreats. By implementing a quarterly security training program that is engaging and well structured is essential for employees to take security more seriously. The training should be interactive and engaging with relevant real-life use cases.

By presenting real security situations, it will help employees understand the importance and value that security training has to offer. For example, showing employees how to detect and differentiate between malicious emails and genuine ones could be crucial when presenting the organization’s best practices.

Smooth Security Communication

After an organization is breached or a known vulnerability is exploited, the security team should provide the details of the attack and results to the organization’s employees. Too often, security teams will provide over technical communication about an attack that will be too technical for the average employee to understand.

When communication is too technical and complicated, the majority of employees will lose interest in learning about the attacks and what was the root of the case, and how it affects their job. Being able to provide clear communication is essential when passing along information about security risks or attacks on their organization. The more precise and clearer the communication is, the more likely employees will be engaged and avoid simple mistakes that can secure their organization against an attack. more likely employees are to avoid missteps that might lead to a future attack.

When there is a lack of communication when it comes to security risk it can result in additional security issues. According to Kaspersky Lab, over 45 percent of employees don’t report security incidents to their security teams. By employees not reporting security incidents it usually comes with a concrete reason. Too often employees are afraid to report a security incident due to fearing they will be held responsible if something goes wrong. Instead of employees being scared to report security incidents or risks, organizations should promote a more positive educational approach to reporting security incidents. Instead, organizations need to promote clear communication when it comes to security to stay more secure.

Taking Shortcuts

Most people will point the finger at employees as the weakest link to an organization’s security. While many breaches have shown that human error is the reason for a breach, proper security policies that are not too technical and easy to understand will help employees to become the best defense against attacks. By offering quarterly security awareness programs that are easy to understand which highlight best practices will provide a more user-friendly and effective security program.

No matter how concrete the security awareness program is, if your employees are not interested they will take security shortcuts that defeat the purpose of the training and implement security policies within the organization. A clear example when it comes to password hygiene.

Security teams tell their employees to change their passwords with a strong password every few months. Employees will see this as exhausting tasks to come up with a new password and will just use the same password they are using elsewhere. This will put the organization’s security in doubt. While shortcuts for employees come with security consequences, organizations should provide more down-to-earth and flexible security best practices for the security of the employee and the company.

Conclusion

As more organizations are exploited, the human factor as a security risk will continue as attackers will target the employees rather than hacking the organization’s infrastructure to gain access to their network and resources.

To fight off attacks from cybercriminals, organization’s employees should be continuously trained with security best practices and the different risks. With the proper security education, employees will move from the biggest risk to becoming a security layer of dense versus attacks on the organization’s network.

About the Author

Amit Bareket, Co-founder and CEO, Perimeter 81