Cyber-security and the power of employees

Chris Waynforth at Expel argues that employees should not be your cyber-scapegoat

 

Business email compromises (BEC) and business application compromises (BAC) have consistently remained top security threats against organisations. According to our annual threat report, Great eXpeltations, BEC accounted for 50% of all customer incidents the Expel security operations centre (SOC) observed during the past two years.

 

We also saw BEC attempts targeting access to human capital management systems across multiple customer environments. This is further evidence that cyber-criminals are still laser-focused on the weakest link in the cyber-security chain—people. 

 

While it’s true that user error is a common cause of cyber-security incidents, it’s important to recognise the inevitability of mistakes. As IBM found in a 2022 study, human error contributes to 21% of breaches experienced by enterprises right after IT failures—and this echoes trends we’ve seen with customers.

 

Today’s attackers are using increasingly sophisticated social engineering tactics to target digital identities, with 57% of all incidents identified in Q1 being identity-based attacks. And while, traditionally, organisations use training to help combat these attacks, human error still persists. 

 

It’s clear the current approach isn’t working, but how can organisations adapt? Ultimately, businesses need to prioritise fostering a culture of accountability and responsibility rather than scapegoating employees. And this starts with feedback, not finger-pointing.

 

It’s not a game of hot potatoes

Business leaders and managers shouldn’t pass the blame when a cyber-security incident happens. Cyber-attacks may be unpredictable, but they shouldn’t be unexpected. 

 

Employee mistakes, negligence, or ignorance can (and will) result in a breach. But as a general rule of thumb for more minor incidents, the solution shouldn’t always be to cast blame.

 

Instead, managers should focus on constructive conversations which provide feedback to employees on the mistake, what impact it could have, and, most importantly, preventative steps for the future. After all, there’s a reason they say “to err is human.” 

 

These situations must be approached in a human way and with understanding. Rooting the response to the incident with respect and understanding provides the employee with the necessary education to avoid repeating their mistakes.

 

Delivering feedback can be uncomfortable for managers, but it’s crucial for encouraging a culture of responsibility and accountability among employees.  

 

Blaming all employees for cyber-security incidents through broad policies does not address the root cause or provide a long-term solution. Rather than blanket policies, companies need to create a culture that nurtures constructive feedback across the organisation (not just within a cyber-security context).

 

When honest and open dialogue is encouraged, employees won’t be scared to report any slip-ups or issues.

 

Delivering regular and effective feedback is a skill, but it’s critical to building trust. Constructive feedback, delivered in the right way, needs to emphasise the positive and communicate clearly where improvement needs to be made and how. Once managers have established an environment where constructive feedback becomes the norm, organisations can address issues far earlier than before.

 

Adding human power to cyber-security strategy

When employees feel trusted by their employers, they’re more likely to be open about their mistakes. This means managers and leaders can nip potential risks in the bud. Human-based cyber-security risks require human-centric solutions—like fostering a communicative environment and implementing active security awareness training on the evolving threat landscape.

 

With cyber-security teams under increasing pressure, businesses of all shapes and sizes need technology solutions that help them work effectively and protect them from external threats. Managed security solutions like managed detection and response (MDR) and vulnerability prioritisation can help take the burden off overstretched teams and improve security across an organisation’s ever-expanding attack surface.

 

Resilient cyber-security starts with accountability 

We’ve seen that user error is one of the most common causes of cyber-security incidents. So business leaders need to accept and recognise this and start creating a culture that gets to the root of it.

 

Rather than scapegoating individuals or teams, leaders and managers should focus on providing effective feedback, building a culture of communication, and adopting the right technologies to protect the modern enterprise.

 

As much as employees are an organisation’s biggest cyber-security risk, they’re also its biggest asset when building a strong cyber-security strategy. 

 

---

 

Chris Waynforth is General Manager and VP International of Expel

 

Main image courtesy of iStockPhoto.com