Employees remain the biggest source of corporate cyber risk. According to the “IBM X-Force 2016 Cyber Security Intelligence Index,” staff members are responsible for 60 percent of all digital attacks endured by enterprises. In most cases, there’s no malicious intent. Employees may subvert network security by opening infected email attachments, falling for well-crafted phishing attacks, accessing compromised third-party apps or accidentally posting confidential information on social media sites.
The accepted method to mitigate these risks is employee education — training staff to recognize the risks of specific behaviors and taking steps to avoid potential compromise. Still, the problem persists, with insider issues ranking as the top threat month after month and year after year. How much security advice are employees really hearing and taking to heart? Can companies convince them to care about network security?
Double the Danger
The ubiquity of mobile devices and frustration with security controls are the two main factors that contribute to human-driven security risks. Infosecurity Magazine noted that, according to exclusive Symantec research, just 15 percent of surveyed employees set their mobile devices to automatically update security settings.
Even more worrisome, only 54 percent “were able to confirm that security on the device was up to date at all times,” while 53 percent used their personal devices for work outside the workplace, even though 13 percent of staff had “no idea” about the security status of their device. Add in public Wi-Fi connections, phishing emails and the inherent risks of social media, and it’s not a stretch to imagine mobile devices as the easiest way in for determined fraudsters, especially as enterprises increase mobile device permissions to empower remote workers.
The other issue is that employees often feel restricted by current security measures and, in some cases, are prevented from effectively doing their jobs. According to SC Magazine, that’s why medical staff “routinely ignore” IT security rules. Regulations that exist to meet compliance standards or protect critical assets often fail to account for medical professionals’ need for quick access to essential data, leading to a culture of technology workarounds that allow staff members to complete essential tasks but place organizations at risk of malware infections or ransomware attacks.
In many instances, employees aren’t the root of the problem. Instead, security staff members who “did not sufficiently consider the actual clinical workflow” are responsible for increasing total risk, according to SC Magazine. The same issue applies to other industries. For example, IT staff committed to reducing potential cloud security breaches may restrict the ability of employees to complete day-to-day tasks by limiting app use, driving the development of shadow IT culture. So it’s no surprise that, while employees are present for security training, they’re not interested in adopting network security best practices.
Cultivating a Culture of Network Security Awareness
To shift employee focus from IT workarounds to embracing security strategy, enterprises must address four key areas of concern.
1. C-Suite Support
Without top-level support for training programs, ongoing employee education and the budget to monitor metrics over the long term, efforts to shore up staff security are doomed to fail. As noted by Information Security Buzz, it’s critical for IT employees to link potential breaches with business outcomes such a reputation loss, monetary cost and the impact to line-of-business objectives. This helps establish network security as a top concern and ensures that enough money is available to effectively train employees.
2. End-to-End Process
How do employees interact with the corporate network? Where are most access requests coming from? What type of applications are staff members using to improve productivity and efficiency?
While it’s possible to design and implement security controls that run counter to existing processes, this is a hard sell that requires constant vigilance and reprimands from IT, since employees will do everything they can to obey the letter of the law while circumventing the spirit. By seeking out staff input and attempting to incorporate existing tools wherever possible, IT teams can help onboard staff rather than face continual opposition.
3. Talking the Talk
As noted by Forbes, positive communication can boost productivity, improve workplace stress management and increase employee engagement. This means tossing doom-and-gloom speeches and hard talk about consequences for more positive methods that focus on employees’ abilities and opportunities. As a result, employees will be primed to better remember lessons learned in training, manage stress if IT incidents occur and engage in the learning process.
4. Analytics
No matter how good the training method or how engaged the employees, perfect network security is impossible. Employees occasionally make mistakes, forget what they’ve learned or choose speed over security. End-user experience monitoring tools can help fill this gap by providing the hard data IT professionals need to discover the root causes of security issues or address specific employee practices.
Think of it like the difference between self-reporting and outside observation: Even when staff members are entirely upfront about their behavior, there may be device risks or compromised applications that impact network security but are beyond at-a-glance observation.
Empower Your Employees
Employees are the top risk to enterprise security. Better training can help alleviate this issue, but engaging employees takes more than PowerPoint presentations and hard-line security policies. By obtaining C-suite support and prioritizing user processes, enterprises can leverage positive communication and end-user monitoring software to empower network security.