Light Dark
September 29, 2017 By Douglas Bonderud 3 min read
CISO
Network

Employees remain the biggest source of corporate cyber risk. According to the “IBM X-Force 2016 Cyber Security Intelligence Index,” staff members are responsible for 60 percent of all digital attacks endured by enterprises. In most cases, there’s no malicious intent. Employees may subvert network security by opening infected email attachments, falling for well-crafted phishing attacks, accessing compromised third-party apps or accidentally posting confidential information on social media sites.

The accepted method to mitigate these risks is employee education — training staff to recognize the risks of specific behaviors and taking steps to avoid potential compromise. Still, the problem persists, with insider issues ranking as the top threat month after month and year after year. How much security advice are employees really hearing and taking to heart? Can companies convince them to care about network security?

Double the Danger

The ubiquity of mobile devices and frustration with security controls are the two main factors that contribute to human-driven security risks. Infosecurity Magazine noted that, according to exclusive Symantec research, just 15 percent of surveyed employees set their mobile devices to automatically update security settings.

Even more worrisome, only 54 percent “were able to confirm that security on the device was up to date at all times,” while 53 percent used their personal devices for work outside the workplace, even though 13 percent of staff had “no idea” about the security status of their device. Add in public Wi-Fi connections, phishing emails and the inherent risks of social media, and it’s not a stretch to imagine mobile devices as the easiest way in for determined fraudsters, especially as enterprises increase mobile device permissions to empower remote workers.

The other issue is that employees often feel restricted by current security measures and, in some cases, are prevented from effectively doing their jobs. According to SC Magazine, that’s why medical staff “routinely ignore” IT security rules. Regulations that exist to meet compliance standards or protect critical assets often fail to account for medical professionals’ need for quick access to essential data, leading to a culture of technology workarounds that allow staff members to complete essential tasks but place organizations at risk of malware infections or ransomware attacks.

In many instances, employees aren’t the root of the problem. Instead, security staff members who “did not sufficiently consider the actual clinical workflow” are responsible for increasing total risk, according to SC Magazine. The same issue applies to other industries. For example, IT staff committed to reducing potential cloud security breaches may restrict the ability of employees to complete day-to-day tasks by limiting app use, driving the development of shadow IT culture. So it’s no surprise that, while employees are present for security training, they’re not interested in adopting network security best practices.

Cultivating a Culture of Network Security Awareness

To shift employee focus from IT workarounds to embracing security strategy, enterprises must address four key areas of concern.

1. C-Suite Support

Without top-level support for training programs, ongoing employee education and the budget to monitor metrics over the long term, efforts to shore up staff security are doomed to fail. As noted by Information Security Buzz, it’s critical for IT employees to link potential breaches with business outcomes such a reputation loss, monetary cost and the impact to line-of-business objectives. This helps establish network security as a top concern and ensures that enough money is available to effectively train employees.

2. End-to-End Process

How do employees interact with the corporate network? Where are most access requests coming from? What type of applications are staff members using to improve productivity and efficiency?

While it’s possible to design and implement security controls that run counter to existing processes, this is a hard sell that requires constant vigilance and reprimands from IT, since employees will do everything they can to obey the letter of the law while circumventing the spirit. By seeking out staff input and attempting to incorporate existing tools wherever possible, IT teams can help onboard staff rather than face continual opposition.

3. Talking the Talk

As noted by Forbes, positive communication can boost productivity, improve workplace stress management and increase employee engagement. This means tossing doom-and-gloom speeches and hard talk about consequences for more positive methods that focus on employees’ abilities and opportunities. As a result, employees will be primed to better remember lessons learned in training, manage stress if IT incidents occur and engage in the learning process.

4. Analytics

No matter how good the training method or how engaged the employees, perfect network security is impossible. Employees occasionally make mistakes, forget what they’ve learned or choose speed over security. End-user experience monitoring tools can help fill this gap by providing the hard data IT professionals need to discover the root causes of security issues or address specific employee practices.

Think of it like the difference between self-reporting and outside observation: Even when staff members are entirely upfront about their behavior, there may be device risks or compromised applications that impact network security but are beyond at-a-glance observation.

Empower Your Employees

Employees are the top risk to enterprise security. Better training can help alleviate this issue, but engaging employees takes more than PowerPoint presentations and hard-line security policies. By obtaining C-suite support and prioritizing user processes, enterprises can leverage positive communication and end-user monitoring software to empower network security.

 

 

 |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from CISO
December 30, 2024

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

December 13, 2024

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

December 11, 2024

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature