Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
01:00 PM
Chrysa Freeman
Chrysa Freeman
Connect Directly
E-Mail vvv

Let's Stop Blaming Employees for Our Data Breaches

Assuming employees want to steal trade secrets pits them against your security teams, creates stress and reduces productivity.

When data moves off a trusted network, it may be a default response to assume malicious intent is involved. We see news headlines about employees stealing data, and as a result we're conditioning ourselves to leap to the conclusion that data leaks are typically malicious. In some cases, it could turn out to be intentional theft, but when it comes to data spilling off the network by our trusted employees, we should take time to dig a little deeper to learn more — especially because cases of data exfiltration are very often due to employee error or negligence.  

The vast majority of your employees are well-meaning, hard-working people who never intend to create a cybersecurity problem. In fact, in 2020, 17% of all data breaches were caused by human error, double the amount that occurred in 2019.

Related Content:

5 Steps Every Company Should Take to Avoid Data Theft Risk

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Faster COVID-19 Research Is Being Made Possible by Secure Silicon

Maybe a new employee adds their personal iCloud drive to their work device to make their personal information more readily available, not realizing there is a default setting in place that ends up automatically uploading company data to their iCloud account. Or a team member working remotely during the pandemic might access a file from their personal laptop when their work computer isn't loading. Either way, the employee didn't intend to cause a problem. For security teams to conclude the employee intended harm isn't going to prevent future data loss.

In fact, assuming employees want to steal your intellectual property or trade secrets pits your security teams and employees against one another and could contribute toward unnecessary security-related stress. We need a better approach, one that begins with presuming your employees are just trying to get their work done and that their actions come from a place of positive intent.

Building a positive intent security culture begins on an employee's first day at work. Bake security into your onboarding process, even if you only discuss it for five minutes. Use that time to set the tone that your security team isn't out to get them and that you need employees' help to protect company assets. You should also lay the groundwork for how employees can best work with the security team: Where do they go if they need assistance, have questions, or need to report any issues or concerns?

It's also essential to provide regular, effective cybersecurity training that positions your employees as security heroes rather than adversaries. Instead of just focusing on malicious data theft, educate your team on common ways data is unintentionally leaked to raise awareness and prevent it from happening in the future.

As with any training, you also want to make sure that it sticks. How do you do that? Make the training itself engaging. Change up the format and make it interactive when possible. Pitch your phishing exercises as security challenges where they can work to increase their score of not clicking and reporting the test emails — and be transparent about why you offer phishing training. We typically give new employees a heads-up that we'll be conducting phishing tests, not as a trick but to help them learn to recognize and report suspicious emails. We can't expect them to be great at something they never get a chance to practice.

Transparency goes a long way in both directions. At Code42, we also ask our employees to alert us when they have a business or personal reason to move or share a file. For example, a departing employee recently notified our security team that they were planning on transferring some personal photos they had saved on their work drive to a personal drive. This proactive behavior is helpful because it could shorten investigation times and allows our security team to suggest more secure transfer methods, such as an encrypted drive. 

There's still the chance you might encounter an employee maliciously exfiltrating data. It is still best to approach every data leak with the assumption that the person behind it had positive intentions since that is often the case. When reaching out to an employee about a security misstep or error, the language and wording you use can go a long way toward showing you are there to help and making the employee feel comfortable and willing to work with your team. 

For example, if you notice a suspicious file transfer, you can send the employee a note along the lines of "We noticed a file transfer to a personal email account. Can you confirm if you're aware of this?" — instead of "We received notice that you transferred a file to a personal email account, so we are locking down your computer." Or if someone has not completed a required security training, you can say: "Our records show your security training is overdue, can you confirm?" More often than not, this will lead to a response from the employee asking where to find the training, indicating it's an education/communication issue instead of negligence. 

Security problems can cause a lot of stress, both for employees and security teams. We need to rewrite and strengthen the security narrative to emphasize that most employees are well meaning. Doing so will show employees your team views them as trusted security partners and will allow the business to be more efficient and proactive about their security approach.

Chrysa has been in corporate security for 13 years. She's built security awareness programs from the ground up in various industries including retail, technology, and healthcare. Chrysa is currently Manager of Security Awareness at Code42. She is passionate about presuming ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/28/2021 | 11:55:07 AM
Using Positive Reinforcement to Enhance Proactive Cybersecurity Engagement
Great article and spot on with respect to increasing engagement.

We find that one of the best ways to increase overall employee engagement in the organization's security program, is to find ways to promote proactive behavior through gamification, management involvement, and meaningful KPIs KRIs built around the reaction/interaction to threats and potential threats. For example, when it comes to simulated phishing - instead of looking at click through rates as the key metric, organizations can focus on the proactive reporting of threats and the "see something, do something mentality" in order to create a more positive experience overall, thus improving employee willingness to engage in good habits, behavior and ultimately, changing one's identity with a more proactive inherent scrutiny in how they process and respond to information. Organizations who traditionally kneejerk enroll employees immediately after failing a phishing test tend to promote an adversarial relationship between IT and the work force. Although click through rates can provide some meaning information about areas of risk, incentives around the promotion of proactive behavior and employees becoming proactive cybersecurity citizens is one of the best ways to enhance engagement across a security awareness program and empower employees and teams to identify and stop threats.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...