Sunday, August 28, 2022

It's Not The Human Being - But Apathy - That Is The Weakest Link In The Security Chain

 


In the Cyber world, there is this saying that people, especially your employees, are the weakest link in the security chain.  To some degree or another, this is true.  After all, they are the ones that will use the shared resources and your software apps the most. 

If there are any sort of backdoors that they leave open, such as not logging off, not having a complex password, etc.  then usually blame is pointed at them.  Very often, they are shamed, and made a point of humiliation amongst their peers.

Perhaps this technique could work in scaring the other employees into abiding to your security policies, but it won’t last forever.  The employee you shamed will feel mistreated, and singled out, and even a point of workplace harassment.  

The last thing you need is a lawsuit about employee mistreatment.  But it is important to keep in mind that most employees do not mean any harm, it is sometimes they just forget to do something when they should have.

Maybe they just got called into a last-minute meeting, or a client has an emergency, who knows?  As a boss, supervisor, manager, whatever your title might be, you have to take all things into consideration, and listen to the side of your employee as well.  Not doing so will only set a very dangerous precedent, but it will also show favoritism, which is something else you do not want to happen in the workplace.

But then, there are those group of employees who honestly could care less about Cybersecurity, or even about the protection of who they work for.  Many times in these instances, as long as they are collecting a paycheck, that is good enough for them.  This can be referred to in psychological terms as “Employee Apathy”. 

This simply refers to the lack of interest on their part to protect something that is valuable to the company.

I never realized it before, but this is really a very serious issue when it comes to Cybersecurity.  After all, you want your employees to become both the front and last lines of defense for your company, and you are totally relying upon them to be your eyes and ears when you are not around.  But Employee Apathy is only getting worse.  For example, take into these stats from a recent market research survey:

*33% of employees just don’t understand Cybersecurity;

*Only 39% would report a security incident to their boss;

*25% of the respondents just simply don’t care about Cybersecurity at all.

More information about this research can be seen here at this link:

https://1670277.fs1.hubspotusercontent-na1.net/hubfs/1670277/%5BCollateral%5D%20Tessian-Research-Reports/%5BTessian%20Research%5D%20How%20Security%20Cultures%20Impact%20Employee%20Behavior.pdf?__hstc=170273983.e7b67b07bca4107e2b405b9b9fe6cad9.1659446478842.1659446478842.1659446478842.1&__hssc=170273983.1.1659446478842&__hsfp=868227580&hsCtaTracking=72be695b-db12-45db-b9ba-86cffca26b60%7Cef75f36a-5923-4028-b399-986e51c11fb6

So, what are the ways to improve Employee Apathy in your company?  Here are some tried and tested ways that you can follows:

1)     Improve the level of security awareness training:

This is a topic that I am sure everybody is sick of hearing.  But unfortunately, it has to keep getting repeated because nobody still seems to care about it, IMHO.  First, training is not a one-shot deal.  You have to do this repeatedly, at the Cyber experts recommend at least once a quarter to get any kind of results.  Second, you have to keep the training down to no longer than 30 minutes at max.  That is the attention span of the average human being, and remember, you are also not giving a college lecture on computer science.  It should be easy to understand and consume.  Third, you have to keep your employees engaged.  This is the only way that they will remember anything.  Companies are starting to realize this, and are now using the concepts of Gamification to keep the training competitive.  Fifth, test your employees a few days after training.  For example, if you teach about how to avoid a Phishing email, then launch a mock Phishing attack a couple of days later to see who has fallen prey for it.

2)     Have a hotline:

As it simple as it sounds, employees do not even know how to report a security breach that they may have witnessed.  For instance, almost 50% of the employees in the survey did not even know if their company had a security hotline or not.  So, correct the situation and have a 24 X 7 X 365 telephone hotline in which employees can report on anonymously any thing out of the ordinary that they may see or are currently witnessing.  Then, have a triaging system in place so that the most important tips get first attention.  But make this hotline known to all of your employees!!!

3)     Get rid of the mind games:

Employees want bosses that are tactful, respectful, don’t micromanage, but above all, are polite and honest to their employees.  This simply means be honest to the employee that is making a security mistake, but under no circumstances do not shame or punish them in front of other employees!!!  Instead, take him or her into your office, and have a private conversation as to what happened, and provide strategies as to what can be done better next time to help mitigate any security risks from proliferating into large scale ones.  As I have mentioned before, as we humans, we all make mistakes.  But by nature, we are also, good and kind, and at times, naïve about things.  So to best of your abilities, try to forgive and to a certain extent, forget.

My Thoughts On This:

As I write this blog, probably the one thing I would do differently is to simply take my employees, and just have an open and honest discussion with them as to how their levels of apathy towards Cybersecurity. 

Make sure to take careful notes, and implement the thoughts of your employees wherever you can.  Being a straight shooter like this only make your employees value you that much more, and have respect for what you are trying to accomplish.

Finally, minimizing apathy comes directly from the top.  If your CISO takes the time to maintain decent levels of Cyber Hygiene, so will you and your employees.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...