In the Cyber world, there is this saying that people, especially
your employees, are the weakest link in the security chain. To some degree or another, this is true. After all, they are the ones that will use
the shared resources and your software apps the most.
If there are any sort of backdoors that they leave open,
such as not logging off, not having a complex password, etc. then usually blame is pointed at them. Very often, they are shamed, and made a point
of humiliation amongst their peers.
Perhaps this technique could work in scaring the other
employees into abiding to your security policies, but it won’t last
forever. The employee you shamed will
feel mistreated, and singled out, and even a point of workplace harassment.
The last thing you need is a lawsuit about employee
mistreatment. But it is important to
keep in mind that most employees do not mean any harm, it is sometimes they
just forget to do something when they should have.
Maybe they just got called into a last-minute meeting, or a
client has an emergency, who knows? As a
boss, supervisor, manager, whatever your title might be, you have to take all
things into consideration, and listen to the side of your employee as
well. Not doing so will only set a very
dangerous precedent, but it will also show favoritism, which is something else
you do not want to happen in the workplace.
But then, there are those group of employees who honestly
could care less about Cybersecurity, or even about the protection of who they
work for. Many times in these instances,
as long as they are collecting a paycheck, that is good enough for them. This can be referred to in psychological
terms as “Employee Apathy”.
This simply refers to the lack of interest on their part to
protect something that is valuable to the company.
I never realized it before, but this is really a very
serious issue when it comes to Cybersecurity.
After all, you want your employees to become both the front and last
lines of defense for your company, and you are totally relying upon them to be
your eyes and ears when you are not around.
But Employee Apathy is only getting worse. For example, take into these stats from a
recent market research survey:
*33% of employees just don’t understand Cybersecurity;
*Only 39% would report a security incident to their boss;
*25% of the respondents just simply don’t care about
Cybersecurity at all.
More information about this research can be seen here at
this link:
So, what are the ways to improve Employee Apathy in your company? Here are some tried and tested ways that you
can follows:
1)
Improve the level of security awareness training:
This is a topic that I am sure
everybody is sick of hearing. But unfortunately,
it has to keep getting repeated because nobody still seems to care about it,
IMHO. First, training is not a one-shot
deal. You have to do this repeatedly, at
the Cyber experts recommend at least once a quarter to get any kind of
results. Second, you have to keep the training
down to no longer than 30 minutes at max.
That is the attention span of the average human being, and remember, you
are also not giving a college lecture on computer science. It should be easy to understand and consume. Third, you have to keep your employees engaged. This is the only way that they will remember
anything. Companies are starting to
realize this, and are now using the concepts of Gamification to keep the training
competitive. Fifth, test your employees
a few days after training. For example,
if you teach about how to avoid a Phishing email, then launch a mock Phishing
attack a couple of days later to see who has fallen prey for it.
2)
Have a hotline:
As it simple as it sounds,
employees do not even know how to report a security breach that they may have
witnessed. For instance, almost 50% of the
employees in the survey did not even know if their company had a security hotline
or not. So, correct the situation and
have a 24 X 7 X 365 telephone hotline in which employees can report on anonymously
any thing out of the ordinary that they may see or are currently
witnessing. Then, have a triaging system
in place so that the most important tips get first attention. But make this hotline known to all
of your employees!!!
3)
Get rid of the mind games:
Employees want bosses that are
tactful, respectful, don’t micromanage, but above all, are polite and honest to
their employees. This simply means be
honest to the employee that is making a security mistake, but under no
circumstances do not shame or punish them in front of other employees!!! Instead, take him or her into
your office, and have a private conversation as to what happened, and provide
strategies as to what can be done better next time to help mitigate any
security risks from proliferating into large scale ones. As I have mentioned before, as we humans, we
all make mistakes. But by nature, we are
also, good and kind, and at times, naïve about things. So to best of your abilities, try to forgive
and to a certain extent, forget.
My Thoughts On This:
As I write this blog, probably the one thing I would do
differently is to simply take my employees, and just have an open and honest
discussion with them as to how their levels of apathy towards Cybersecurity.
Make sure to take careful notes, and implement the thoughts
of your employees wherever you can.
Being a straight shooter like this only make your employees value you that
much more, and have respect for what you are trying to accomplish.
Finally, minimizing apathy comes directly from the top. If your CISO takes the time to maintain decent
levels of Cyber Hygiene, so will you and your employees.
No comments:
Post a Comment