Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

// // //
01:00 PM
Chrysa Freeman
Chrysa Freeman
Connect Directly
E-Mail vvv

Let's Stop Blaming Employees for Our Data Breaches

Assuming employees want to steal trade secrets pits them against your security teams, creates stress and reduces productivity.

When data moves off a trusted network, it may be a default response to assume malicious intent is involved. We see news headlines about employees stealing data, and as a result we're conditioning ourselves to leap to the conclusion that data leaks are typically malicious. In some cases, it could turn out to be intentional theft, but when it comes to data spilling off the network by our trusted employees, we should take time to dig a little deeper to learn more — especially because cases of data exfiltration are very often due to employee error or negligence.  

The vast majority of your employees are well-meaning, hard-working people who never intend to create a cybersecurity problem. In fact, in 2020, 17% of all data breaches were caused by human error, double the amount that occurred in 2019.

Related Content:

5 Steps Every Company Should Take to Avoid Data Theft Risk

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Faster COVID-19 Research Is Being Made Possible by Secure Silicon

Maybe a new employee adds their personal iCloud drive to their work device to make their personal information more readily available, not realizing there is a default setting in place that ends up automatically uploading company data to their iCloud account. Or a team member working remotely during the pandemic might access a file from their personal laptop when their work computer isn't loading. Either way, the employee didn't intend to cause a problem. For security teams to conclude the employee intended harm isn't going to prevent future data loss.

In fact, assuming employees want to steal your intellectual property or trade secrets pits your security teams and employees against one another and could contribute toward unnecessary security-related stress. We need a better approach, one that begins with presuming your employees are just trying to get their work done and that their actions come from a place of positive intent.

Building a positive intent security culture begins on an employee's first day at work. Bake security into your onboarding process, even if you only discuss it for five minutes. Use that time to set the tone that your security team isn't out to get them and that you need employees' help to protect company assets. You should also lay the groundwork for how employees can best work with the security team: Where do they go if they need assistance, have questions, or need to report any issues or concerns?

It's also essential to provide regular, effective cybersecurity training that positions your employees as security heroes rather than adversaries. Instead of just focusing on malicious data theft, educate your team on common ways data is unintentionally leaked to raise awareness and prevent it from happening in the future.

As with any training, you also want to make sure that it sticks. How do you do that? Make the training itself engaging. Change up the format and make it interactive when possible. Pitch your phishing exercises as security challenges where they can work to increase their score of not clicking and reporting the test emails — and be transparent about why you offer phishing training. We typically give new employees a heads-up that we'll be conducting phishing tests, not as a trick but to help them learn to recognize and report suspicious emails. We can't expect them to be great at something they never get a chance to practice.

Transparency goes a long way in both directions. At Code42, we also ask our employees to alert us when they have a business or personal reason to move or share a file. For example, a departing employee recently notified our security team that they were planning on transferring some personal photos they had saved on their work drive to a personal drive. This proactive behavior is helpful because it could shorten investigation times and allows our security team to suggest more secure transfer methods, such as an encrypted drive. 

There's still the chance you might encounter an employee maliciously exfiltrating data. It is still best to approach every data leak with the assumption that the person behind it had positive intentions since that is often the case. When reaching out to an employee about a security misstep or error, the language and wording you use can go a long way toward showing you are there to help and making the employee feel comfortable and willing to work with your team. 

For example, if you notice a suspicious file transfer, you can send the employee a note along the lines of "We noticed a file transfer to a personal email account. Can you confirm if you're aware of this?" — instead of "We received notice that you transferred a file to a personal email account, so we are locking down your computer." Or if someone has not completed a required security training, you can say: "Our records show your security training is overdue, can you confirm?" More often than not, this will lead to a response from the employee asking where to find the training, indicating it's an education/communication issue instead of negligence. 

Security problems can cause a lot of stress, both for employees and security teams. We need to rewrite and strengthen the security narrative to emphasize that most employees are well meaning. Doing so will show employees your team views them as trusted security partners and will allow the business to be more efficient and proactive about their security approach.

Chrysa has been in corporate security for 13 years. She's built security awareness programs from the ground up in various industries including retail, technology, and healthcare. Chrysa is currently Manager of Security Awareness at Code42. She is passionate about presuming ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/28/2021 | 11:55:07 AM
Using Positive Reinforcement to Enhance Proactive Cybersecurity Engagement
Great article and spot on with respect to increasing engagement.

We find that one of the best ways to increase overall employee engagement in the organization's security program, is to find ways to promote proactive behavior through gamification, management involvement, and meaningful KPIs KRIs built around the reaction/interaction to threats and potential threats. For example, when it comes to simulated phishing - instead of looking at click through rates as the key metric, organizations can focus on the proactive reporting of threats and the "see something, do something mentality" in order to create a more positive experience overall, thus improving employee willingness to engage in good habits, behavior and ultimately, changing one's identity with a more proactive inherent scrutiny in how they process and respond to information. Organizations who traditionally kneejerk enroll employees immediately after failing a phishing test tend to promote an adversarial relationship between IT and the work force. Although click through rates can provide some meaning information about areas of risk, incentives around the promotion of proactive behavior and employees becoming proactive cybersecurity citizens is one of the best ways to enhance engagement across a security awareness program and empower employees and teams to identify and stop threats.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file