A recent article by Maria Korolov on CSO Online points out that 4 out of 5 employees engage in some risky online behaviors at work despite being aware of the security risks. The myth that employees are only engaging in these behaviors because of their lack of knowledge about the risks is now debunked. Instead, the risks with employee behavior stem not from lack of knowledge but from other, less obvious reasons.
The study, performed by the Vanson Bourne research firm, identified many risky behaviors:
As the results from the study suggest, most employees know the risks associated with these behaviors (e.g., 73% know that opening an email from an unknown source is risky), however, only 20% said they never engaged in any of these behaviors. The fact that employees know of the risks and continue to engage in these behaviors suggests that employees lack the motivation necessary for them to be cautious about their online behaviors.
While the Vanson Bourne study does not address explicit reasons that employees are not adhering to best security practices, there are many reasons that your employees might not be regarding your company’s security guidelines very thoroughly.
While company-wide emails from the IT department may be instructive about specific links not to click or emails not to open, these instructions may not be sufficient to inform employees of the small- and large-scale consequences of risky online behavior.
Companies who do not dedicate time to teaching their employees about the personal and company-wide consequences of poor security behavior will never have employees that are proactive about security. Understanding the consequences—the cost, inconvenience, and loss of trust that can occur both personally and throughout an entire company—can increase the motivation your employees need to stay cautious in their online behaviors.
On the other hand, some of your employees already have a full understanding of the consequences and they simply do not care about the damage that could occur from a security breach. This problem is much trickier to identify and to solve. However, as security breaches increase and the cost to remediate them also increases, employers must consider consistently bad security practices as grounds for termination.
Choosing employees who are cautious and intentional in their online behaviors could determine the state of your company’s security, as well as save you time, energy, and stress from security hacks.
While each circumstance is different, there are good security practices that all companies can implement to improve employee security behavior.
In order to guarantee that employees understand the consequences of data breaches, make time to teach employees about the damage done in other hacks. Instruct employees on how their behavior affects their own private security and also the company’s security in general. Instruct employees on password security, two-factor authentication, and using secure connections while working remotely.
Employers should set security rules where possible. Companies can mandate two-factor authentication and strict usage restrictions for work devices, teaching their employees about the importance of good security practices. Creating these rules eliminates some of the risk of employees becoming lazy or going rogue with their online behaviors.
Talking about security practices once a year is not sufficient to keep your employees’ security behavior in top shape. With new hires and constantly changing tasks and priorities in enterprise environments, good security practices are likely to get lost in the shuffle of daily work. Schedule quarterly meetings (or meet even more frequently) to remind employees of the importance of secure online behavior.