Why Do Employees Break Cybersecurity Policies?

572

  • In the face of increasingly common (and costly) cyberattacks, many organizations have focused their security investments largely on technological solutions.
  • During the 10 workdays we studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.
  • Especially as the shift to remote work has transformed how many people work, IT leaders should be sure to involve the employees who will be affected by new security measures in their creation, evaluation, and implementation.

Colonial Pipeline paid a ransom of over $5 million last summer after a cyberattack caused widespread alarm about the availability of gasoline in the Southeast United States. Only a few weeks later, the world’s largest meat processing corporation agreed to pay an $11 million ransom in the wake of a cyberattack that shut down plants in the United States, Canada, and Australia as reported by HBR.

Cyberattacks 

Attacks like these have been growing more common for years, and the Covid-19 pandemic has only made matters worse, with the FBI reporting a 400% increase in cyberattacks in the first few months of the pandemic.

In response, investment into cybersecurity has skyrocketed — but unfortunately, these efforts haven’t always addressed the underlying factors that create vulnerabilities.

While IT specialists toil away to create better, smarter, and safer technical systems, there is one risk they can’t program away: humans.

Especially as remote work becomes more prevalent and thus access to secure systems becomes more distributed, one wrong click by an employee can often be enough to threaten an entire digital ecosystem.

Our recent research, however, suggests that much of the time, failures to comply may actually be the result of intentional yet non-malicious violations, largely driven by employee stress.

Policy Violations 

We asked more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the course of two weeks.

We found that across our sample, adherence to security conventions was intermittent.

During the 10 workdays we studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.

But what led to those breaches in the protocol?

When asked why they failed to follow security policies, our participants’ top three responses were, “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done.”

But our findings do suggest that despite considerable media focus on the “insider threat” posed by malicious employees, there are a lot of well-intentioned reasons that an employee might knowingly fail to fully follow the rules.

Ignorance and Malice

Many leaders assume that employee security violations are either malicious or unintentional, and then design security policies based on that assumption.

However, our research illustrates that there’s a sizable middle ground between ignorance and malice, and so managers would be wise to adapt their training programs and policies accordingly.

This means educating employees and managers on the prevalence of non-malicious violations and providing clear guidance on what to do if adherence to security practices seems to conflict with getting work done.

In addition, organizations should take steps to incorporate employees in the process of developing and user-testing security policies, and equip teams with the tools they’ll need to actually follow these policies.

Too often, IT departments develop protocols in a vacuum, with limited understanding of how these rules might interfere with people’s workflows or create new sources of stress.

Job Design and Cybersecurity 

It’s common to think of security as secondary to productivity.

In normal times, that’s not necessarily a problem, as employees are likely to have the resources to devote sufficient energy to both.

To address this, managers must recognize that job design and cybersecurity are fundamentally intertwined.

In addition, managers should work to identify and reduce sources of stress for their teams, since working under more-stressful conditions can impact employees’ consistency in following security protocols (not to mention their well-being and effectiveness across a slew of other metrics).

Surveillance systems that seemed reasonable in the office might feel intrusive at home — and even if there’s no obvious, direct fallout, our research suggests that the added stress could indirectly make people more likely to break security protocols.

Hackers Take Advantage of Altruism

Most managers would say it’s a good thing if their employees want to help one another.

But unfortunately, altruism can come at a cost: In our study, around 18% of policy violations were motivated by a desire to help a coworker.

The pandemic has only increased the challenges we all face every day and thus has created even more opportunities for well-meaning employees to “help” their peers in ways that leave their organizations vulnerable.

Hackers know this, and they will often intentionally use social engineering tactics that take advantage of employees’ willingness to bend the rules if they think they’re helping someone out.

These are scams in which an attacker poses as a supervisor or close coworker and emails employees with an urgent request to transfer funds.

Flouting policy

In the modern cybersecurity landscape, every employee is a potential threat vector.

To keep their organizations safe, technical and business leaders alike must understand the factors that can make anyone susceptible to flouting policy and opening the door to attackers.

While the idea of a resentful employee purposefully trying to harm their company may make for a compelling story, our research points to the major role of employee stress in motivating non-malicious (yet potentially catastrophic) security breaches.

To address the mounting risk of cyberattacks — as well as the countless other risks associated with an increasingly stressed-out workforce — leaders must undertake targeted efforts to minimize the root causes of stress in the workplace and design healthier, more sustainable workloads for employees at every level.

Did you subscribe to our newsletter?

It’s free! Click here to subscribe!

Source: HBR