While all employees have a responsibility to keep their organizations safe, there's no reason this priority has to come at the expense of productivity. As cybersecurity awareness becomes more common at companies around the country, this has led to a phenomenon I refer to as click paralysis – when employees are so afraid of clicking on malware and infecting their networks that they refuse to click on legitimate and safe content.
The point of cybersecurity training isn't to make end users afraid of everything; it's to ensure that they know how to recognize and avoid threats when they arise. When employees take this goal to unnecessary extremes, they actually undermine their cybersecurity platforms by creating disincentives for continued compliance. Who wants to observe cybersecurity guidelines that prevent people from getting any work done? Employees who try to protect themselves by indiscriminately avoiding digital content are also failing to build the cybersecurity skills they need – they aren't using their best judgment or putting what they've learned into practice if they adopt a blanket no-click policy.
Cybersecurity is actually a boon to productivity, as it helps companies avoid breaches and shutdowns that can cost millions of dollars, lose customers' trust, and disrupt operations. But employees don't have to be paralyzed by fear to keep the company safe. They just have to understand what threats look like and how to stop them.
Using Culture to Prevent Click Paralysis
One way to prevent fear and paralysis from taking hold at your company is to foster a culture of openness. A major cybersecurity problem organizations face is the anxiety employees feel about reporting potential breaches and other incidents to their managers. According to a PwC survey, just 26% of employees say they can report an incident without fear of reprisal. This status quo is deeply corrosive to the development of a healthy culture around cybersecurity, as it keeps managers and IT professionals in the dark about what's happening at their own companies.
Is it any wonder that employees who are afraid of retaliation if they're honest about their mistakes are also inordinately worried about what they click on? Companies need to address both of these problems at once by making it clear that nobody will be punished if they inform a manager about a possible cyberattack, even if the employee submitting the report bears responsibility. In fact, employees should be rewarded for admitting their mistake and taking steps to minimize the damage it might cause.
Cybersecurity awareness is all about culture. By reinforcing responsible behavior and maintaining a norm of transparency, companies will increase productivity and protect themselves from cyberthreats at the same time.
Employees Are Key to Prevention
Cybercriminals' tactics never stop evolving. Despite the fact that investments in cybersecurity are on the rise and major attacks (from Colonial Pipeline to SolarWinds to Equifax) have been in the headlines for years, the cost and frequency of cyberattacks just keep increasing. But no matter how sophisticated cybercriminals become, a well-trained workforce is still the best resource companies have for fending off their attacks.
There's a simple reason for this fact: cybercriminals are still more reliant on the deception and manipulation of human beings than any other variable. According to the Verizon's "2021 Data Breach Investigations Report," social engineering remains the top tactic implicated in breaches. This means the vast majority of breaches are preventable – in each case, employees just need to be capable of identifying the threat.
If employees allow anxiety to dictate their decisions and prevent work from getting done, they're letting cybercriminals harm the company even in the absence of a successful attack. This is why companies should focus on empowering employees to take cybersecurity into their own hands through the establishment of clear channels for reporting incidents, and the development of a cybersecurity-aware culture.
Training Employees to Recognize Threats
There are many ways companies can help employees find a balance between cybersecurity and productivity. While it's essential to cite real-world attacks in your cybersecurity education program to demonstrate which strategies cybercriminals are using (as well as the actual consequences of breaches), these lessons should always be constructive. Despite the immense damage they're capable of causing, cybercriminals shouldn't be presented as some kind of unstoppable force of nature – the last thing you want to do is convince employees that their efforts can't make a difference.
This is why every frightening story about cyberattacks should be accompanied by a concrete call to action. If a company's network was breached by a phishing scheme, the lesson should address whichever attack vector was exploited and demonstrate how this could have been prevented. For example, malware is often embedded in a corrupt link, which employees can inspect to determine whether it's fraudulent. When they hover the cursor over the link, does the URL destination match the legitimate site they're trying to access? Where did the email come from? Is it possible to confirm with the sender in person or through secured communication?
In theory, every social engineering attack could be prevented, because human behavior is integral at some stage of the process. Rather than framing this fact as a discouraging reminder that employees are responsible for a huge proportion of cyberattacks, companies should present it as an opportunity to drastically reduce risk in a cost-effective and long-term way. This will make employees more confident in what they learn, decreasing the risk of cyberattacks and click paralysis at the same time.