Employees remain the biggest source of corporate cyber risk. According to the “IBM X-Force 2016 Cyber Security Intelligence Index,” staff members are responsible for 60 percent of all digital attacks endured by enterprises. In most cases, there’s no malicious intent. Employees may subvert network security by opening infected email attachments, falling for well-crafted phishing attacks, accessing compromised third-party apps or accidentally posting confidential information on social media sites.

The accepted method to mitigate these risks is employee education — training staff to recognize the risks of specific behaviors and taking steps to avoid potential compromise. Still, the problem persists, with insider issues ranking as the top threat month after month and year after year. How much security advice are employees really hearing and taking to heart? Can companies convince them to care about network security?

Double the Danger

The ubiquity of mobile devices and frustration with security controls are the two main factors that contribute to human-driven security risks. Infosecurity Magazine noted that, according to exclusive Symantec research, just 15 percent of surveyed employees set their mobile devices to automatically update security settings.

Even more worrisome, only 54 percent “were able to confirm that security on the device was up to date at all times,” while 53 percent used their personal devices for work outside the workplace, even though 13 percent of staff had “no idea” about the security status of their device. Add in public Wi-Fi connections, phishing emails and the inherent risks of social media, and it’s not a stretch to imagine mobile devices as the easiest way in for determined fraudsters, especially as enterprises increase mobile device permissions to empower remote workers.

The other issue is that employees often feel restricted by current security measures and, in some cases, are prevented from effectively doing their jobs. According to SC Magazine, that’s why medical staff “routinely ignore” IT security rules. Regulations that exist to meet compliance standards or protect critical assets often fail to account for medical professionals’ need for quick access to essential data, leading to a culture of technology workarounds that allow staff members to complete essential tasks but place organizations at risk of malware infections or ransomware attacks.

In many instances, employees aren’t the root of the problem. Instead, security staff members who “did not sufficiently consider the actual clinical workflow” are responsible for increasing total risk, according to SC Magazine. The same issue applies to other industries. For example, IT staff committed to reducing potential cloud security breaches may restrict the ability of employees to complete day-to-day tasks by limiting app use, driving the development of shadow IT culture. So it’s no surprise that, while employees are present for security training, they’re not interested in adopting network security best practices.

Cultivating a Culture of Network Security Awareness

To shift employee focus from IT workarounds to embracing security strategy, enterprises must address four key areas of concern.

1. C-Suite Support

Without top-level support for training programs, ongoing employee education and the budget to monitor metrics over the long term, efforts to shore up staff security are doomed to fail. As noted by Information Security Buzz, it’s critical for IT employees to link potential breaches with business outcomes such a reputation loss, monetary cost and the impact to line-of-business objectives. This helps establish network security as a top concern and ensures that enough money is available to effectively train employees.

2. End-to-End Process

How do employees interact with the corporate network? Where are most access requests coming from? What type of applications are staff members using to improve productivity and efficiency?

While it’s possible to design and implement security controls that run counter to existing processes, this is a hard sell that requires constant vigilance and reprimands from IT, since employees will do everything they can to obey the letter of the law while circumventing the spirit. By seeking out staff input and attempting to incorporate existing tools wherever possible, IT teams can help onboard staff rather than face continual opposition.

3. Talking the Talk

As noted by Forbes, positive communication can boost productivity, improve workplace stress management and increase employee engagement. This means tossing doom-and-gloom speeches and hard talk about consequences for more positive methods that focus on employees’ abilities and opportunities. As a result, employees will be primed to better remember lessons learned in training, manage stress if IT incidents occur and engage in the learning process.

4. Analytics

No matter how good the training method or how engaged the employees, perfect network security is impossible. Employees occasionally make mistakes, forget what they’ve learned or choose speed over security. End-user experience monitoring tools can help fill this gap by providing the hard data IT professionals need to discover the root causes of security issues or address specific employee practices.

Think of it like the difference between self-reporting and outside observation: Even when staff members are entirely upfront about their behavior, there may be device risks or compromised applications that impact network security but are beyond at-a-glance observation.

Empower Your Employees

Employees are the top risk to enterprise security. Better training can help alleviate this issue, but engaging employees takes more than PowerPoint presentations and hard-line security policies. By obtaining C-suite support and prioritizing user processes, enterprises can leverage positive communication and end-user monitoring software to empower network security.



More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…