Human error continues to be the leading cause of a cybersecurity breach. Nearly 60% of organizations experienced data loss due to an employee's mistake on email in the last year, while one in four employees fell for a phishing attack.
Employee apathy, while it may not seem like a major cybersecurity issue, can leave an organization vulnerable to both malicious attacks and accidental data loss. Equipping employees with the tools and knowledge they need to prevent these risks has never been more important to keep organizations safe.
A new report from Tessian sheds light on the full extent of employee apathy and its impact on cybersecurity posture. The report found that a significant number of employees aren't engaged in their organization's cybersecurity efforts and don't understand the role they play. One in three employees say they don't understand the importance of cybersecurity at work. What's more, only 39% say they're very likely to report a cybersecurity incident. Why? A quarter of employees say they don't care enough about cybersecurity to mention it.
This is a serious problem. IT and security teams can't investigate or remediate a threat they don't know about.
Employees play an important role in flagging incidents or suspicious activity early on to prevent them from escalating to a costly breach. Building a strong cybersecurity culture can mitigate apathy by engaging employees as part of the solution and providing the tools and training they need to work productively and securely.
Ways to Improve Cybersecurity Culture
Here are four ways to improve your cybersecurity culture:
- Deliver tailored security awareness training programs. Global spending on security training continues to rise, but the reality is that most employees aren't engaged in this training. Nearly half (48%) of the security leaders surveyed by Tessian say that training is one of the most important influences on a positive cybersecurity posture. Despite that, only 28% of employees say security awareness training is engaging, and only half say that it is helpful. This is a major disconnect.
Security training should be tailored to individual employees based on factors such as department, tenure, and geography. For example, teach remote employees about the specific types of scams that could target them, whereas the finance department should see real-world examples of wire-transfer fraud and related financial swindles. Rather than yearly or quarterly trainings, employees should receive the information they need in the moment to give context around their own cybersecurity behaviors and help them avoid mistakes.
- Implement a strong but simple incident-reporting process. A similar disconnect between security teams and employees exists when it comes to the incident-reporting process. Tessian found that 80% of security leaders believe robust feedback loops are in place to report incidents, but nearly half (45%) of employees don't know who to report security incidents to. A well-defined, accessible reporting process can make it easy for employees to flag potential incidents and give security teams greater visibility into the organization's risk.
For example, security teams can institute a single, defined process such as an email address or a phone number that employees can use to flag a suspicious email or potential cybersecurity incident. Often this process can be automated, as opposed to pulling in security team members at all hours and risking burnout. A strong reporting process will be predictable, automated where possible, and easy for employees to access without fearing they will be punished for making a cybersecurity mistake.
- Drop the fear, uncertainty, and doubt. Punishing or shaming employees for making mistakes can lead them to disengage or feel apathy toward the cybersecurity culture. Employees won't trust nor want to engage with a security team that relies on fear or negative reinforcement.
Tessian's report found that half of employees have had a negative experience with a phishing simulation. Recent headlines show the type of backlash that can occur when companies use "gotcha" style phishing techniques designed to trick employees. Techniques like this can create an adversarial relationship between the security team and the rest of the company.
A strong cybersecurity culture instills collaboration and uses positive incentives to engage employees. For example, reward employees who flag a cybersecurity incident, spot a suspicious email, or complete a training. It doesn't have to be a major investment. Peer recognition can go a long way.
- Align with the HR team. Lastly, security training and best practices can be woven into the entire employee life cycle to foster and maintain a risk-aware organization. Security teams should partner with HR to play an active role in onboarding, offboarding, and day-to-day processes. For example, give new employees information on incident reporting and real-world examples of the scams that often target new employees.
Similarly, during the offboarding process, employees should be reminded of data security processes, including why they cannot take documents and other information with them to a new job. In a separate Tessian report, 45% of employees admitted they've taken data before leaving or after being dismissed from a job. This isn't always done maliciously — many employees aren't aware of when documents belong to them and when they don't — so it's important to provide guidance.
Importance of Building Strong Cybersecurity Culture
Employees have become stewards of their organization's most sensitive data, while channels such as email have become the de facto method of communication across hybrid and remote teams. Security teams must safeguard the employees who manage data day-to-day and combat the apathy and disengagement that can lead to a costly breach.
A strong cybersecurity culture can make the difference between employees who put the organization at risk or who are actively part of the solution.
Virtually all IT and security leaders surveyed by Tessian (99%) agreed that a strong security culture is important in maintaining a strong security posture. However, if the right steps aren't taken, employees won't understand the vital role they play in protecting an organization from today's advanced threats.