Employees remain the biggest source of corporate cyber risk. According to the “IBM X-Force 2016 Cyber Security Intelligence Index,” staff members are responsible for 60 percent of all digital attacks endured by enterprises. In most cases, there’s no malicious intent. Employees may subvert network security by opening infected email attachments, falling for well-crafted phishing attacks, accessing compromised third-party apps or accidentally posting confidential information on social media sites.

The accepted method to mitigate these risks is employee education — training staff to recognize the risks of specific behaviors and taking steps to avoid potential compromise. Still, the problem persists, with insider issues ranking as the top threat month after month and year after year. How much security advice are employees really hearing and taking to heart? Can companies convince them to care about network security?

Double the Danger

The ubiquity of mobile devices and frustration with security controls are the two main factors that contribute to human-driven security risks. Infosecurity Magazine noted that, according to exclusive Symantec research, just 15 percent of surveyed employees set their mobile devices to automatically update security settings.

Even more worrisome, only 54 percent “were able to confirm that security on the device was up to date at all times,” while 53 percent used their personal devices for work outside the workplace, even though 13 percent of staff had “no idea” about the security status of their device. Add in public Wi-Fi connections, phishing emails and the inherent risks of social media, and it’s not a stretch to imagine mobile devices as the easiest way in for determined fraudsters, especially as enterprises increase mobile device permissions to empower remote workers.

The other issue is that employees often feel restricted by current security measures and, in some cases, are prevented from effectively doing their jobs. According to SC Magazine, that’s why medical staff “routinely ignore” IT security rules. Regulations that exist to meet compliance standards or protect critical assets often fail to account for medical professionals’ need for quick access to essential data, leading to a culture of technology workarounds that allow staff members to complete essential tasks but place organizations at risk of malware infections or ransomware attacks.

In many instances, employees aren’t the root of the problem. Instead, security staff members who “did not sufficiently consider the actual clinical workflow” are responsible for increasing total risk, according to SC Magazine. The same issue applies to other industries. For example, IT staff committed to reducing potential cloud security breaches may restrict the ability of employees to complete day-to-day tasks by limiting app use, driving the development of shadow IT culture. So it’s no surprise that, while employees are present for security training, they’re not interested in adopting network security best practices.

Cultivating a Culture of Network Security Awareness

To shift employee focus from IT workarounds to embracing security strategy, enterprises must address four key areas of concern.

1. C-Suite Support

Without top-level support for training programs, ongoing employee education and the budget to monitor metrics over the long term, efforts to shore up staff security are doomed to fail. As noted by Information Security Buzz, it’s critical for IT employees to link potential breaches with business outcomes such a reputation loss, monetary cost and the impact to line-of-business objectives. This helps establish network security as a top concern and ensures that enough money is available to effectively train employees.

2. End-to-End Process

How do employees interact with the corporate network? Where are most access requests coming from? What type of applications are staff members using to improve productivity and efficiency?

While it’s possible to design and implement security controls that run counter to existing processes, this is a hard sell that requires constant vigilance and reprimands from IT, since employees will do everything they can to obey the letter of the law while circumventing the spirit. By seeking out staff input and attempting to incorporate existing tools wherever possible, IT teams can help onboard staff rather than face continual opposition.

3. Talking the Talk

As noted by Forbes, positive communication can boost productivity, improve workplace stress management and increase employee engagement. This means tossing doom-and-gloom speeches and hard talk about consequences for more positive methods that focus on employees’ abilities and opportunities. As a result, employees will be primed to better remember lessons learned in training, manage stress if IT incidents occur and engage in the learning process.

4. Analytics

No matter how good the training method or how engaged the employees, perfect network security is impossible. Employees occasionally make mistakes, forget what they’ve learned or choose speed over security. End-user experience monitoring tools can help fill this gap by providing the hard data IT professionals need to discover the root causes of security issues or address specific employee practices.

Think of it like the difference between self-reporting and outside observation: Even when staff members are entirely upfront about their behavior, there may be device risks or compromised applications that impact network security but are beyond at-a-glance observation.

Empower Your Employees

Employees are the top risk to enterprise security. Better training can help alleviate this issue, but engaging employees takes more than PowerPoint presentations and hard-line security policies. By obtaining C-suite support and prioritizing user processes, enterprises can leverage positive communication and end-user monitoring software to empower network security.



More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…