Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:00 PM
Chrysa Freeman
Chrysa Freeman
Connect Directly
E-Mail vvv

Let's Stop Blaming Employees for Our Data Breaches

Assuming employees want to steal trade secrets pits them against your security teams, creates stress and reduces productivity.

When data moves off a trusted network, it may be a default response to assume malicious intent is involved. We see news headlines about employees stealing data, and as a result we're conditioning ourselves to leap to the conclusion that data leaks are typically malicious. In some cases, it could turn out to be intentional theft, but when it comes to data spilling off the network by our trusted employees, we should take time to dig a little deeper to learn more — especially because cases of data exfiltration are very often due to employee error or negligence.  

The vast majority of your employees are well-meaning, hard-working people who never intend to create a cybersecurity problem. In fact, in 2020, 17% of all data breaches were caused by human error, double the amount that occurred in 2019.

Related Content:

5 Steps Every Company Should Take to Avoid Data Theft Risk

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Faster COVID-19 Research Is Being Made Possible by Secure Silicon

Maybe a new employee adds their personal iCloud drive to their work device to make their personal information more readily available, not realizing there is a default setting in place that ends up automatically uploading company data to their iCloud account. Or a team member working remotely during the pandemic might access a file from their personal laptop when their work computer isn't loading. Either way, the employee didn't intend to cause a problem. For security teams to conclude the employee intended harm isn't going to prevent future data loss.

In fact, assuming employees want to steal your intellectual property or trade secrets pits your security teams and employees against one another and could contribute toward unnecessary security-related stress. We need a better approach, one that begins with presuming your employees are just trying to get their work done and that their actions come from a place of positive intent.

Building a positive intent security culture begins on an employee's first day at work. Bake security into your onboarding process, even if you only discuss it for five minutes. Use that time to set the tone that your security team isn't out to get them and that you need employees' help to protect company assets. You should also lay the groundwork for how employees can best work with the security team: Where do they go if they need assistance, have questions, or need to report any issues or concerns?

It's also essential to provide regular, effective cybersecurity training that positions your employees as security heroes rather than adversaries. Instead of just focusing on malicious data theft, educate your team on common ways data is unintentionally leaked to raise awareness and prevent it from happening in the future.

As with any training, you also want to make sure that it sticks. How do you do that? Make the training itself engaging. Change up the format and make it interactive when possible. Pitch your phishing exercises as security challenges where they can work to increase their score of not clicking and reporting the test emails — and be transparent about why you offer phishing training. We typically give new employees a heads-up that we'll be conducting phishing tests, not as a trick but to help them learn to recognize and report suspicious emails. We can't expect them to be great at something they never get a chance to practice.

Transparency goes a long way in both directions. At Code42, we also ask our employees to alert us when they have a business or personal reason to move or share a file. For example, a departing employee recently notified our security team that they were planning on transferring some personal photos they had saved on their work drive to a personal drive. This proactive behavior is helpful because it could shorten investigation times and allows our security team to suggest more secure transfer methods, such as an encrypted drive. 

There's still the chance you might encounter an employee maliciously exfiltrating data. It is still best to approach every data leak with the assumption that the person behind it had positive intentions since that is often the case. When reaching out to an employee about a security misstep or error, the language and wording you use can go a long way toward showing you are there to help and making the employee feel comfortable and willing to work with your team. 

For example, if you notice a suspicious file transfer, you can send the employee a note along the lines of "We noticed a file transfer to a personal email account. Can you confirm if you're aware of this?" — instead of "We received notice that you transferred a file to a personal email account, so we are locking down your computer." Or if someone has not completed a required security training, you can say: "Our records show your security training is overdue, can you confirm?" More often than not, this will lead to a response from the employee asking where to find the training, indicating it's an education/communication issue instead of negligence. 

Security problems can cause a lot of stress, both for employees and security teams. We need to rewrite and strengthen the security narrative to emphasize that most employees are well meaning. Doing so will show employees your team views them as trusted security partners and will allow the business to be more efficient and proactive about their security approach.

Chrysa has been in corporate security for 13 years. She's built security awareness programs from the ground up in various industries including retail, technology, and healthcare. Chrysa is currently Manager of Security Awareness at Code42. She is passionate about presuming ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/28/2021 | 11:55:07 AM
Using Positive Reinforcement to Enhance Proactive Cybersecurity Engagement
Great article and spot on with respect to increasing engagement.

We find that one of the best ways to increase overall employee engagement in the organization's security program, is to find ways to promote proactive behavior through gamification, management involvement, and meaningful KPIs KRIs built around the reaction/interaction to threats and potential threats. For example, when it comes to simulated phishing - instead of looking at click through rates as the key metric, organizations can focus on the proactive reporting of threats and the "see something, do something mentality" in order to create a more positive experience overall, thus improving employee willingness to engage in good habits, behavior and ultimately, changing one's identity with a more proactive inherent scrutiny in how they process and respond to information. Organizations who traditionally kneejerk enroll employees immediately after failing a phishing test tend to promote an adversarial relationship between IT and the work force. Although click through rates can provide some meaning information about areas of risk, incentives around the promotion of proactive behavior and employees becoming proactive cybersecurity citizens is one of the best ways to enhance engagement across a security awareness program and empower employees and teams to identify and stop threats.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...