September 29, 2017 By Douglas Bonderud 3 min read

Employees remain the biggest source of corporate cyber risk. According to the “IBM X-Force 2016 Cyber Security Intelligence Index,” staff members are responsible for 60 percent of all digital attacks endured by enterprises. In most cases, there’s no malicious intent. Employees may subvert network security by opening infected email attachments, falling for well-crafted phishing attacks, accessing compromised third-party apps or accidentally posting confidential information on social media sites.

The accepted method to mitigate these risks is employee education — training staff to recognize the risks of specific behaviors and taking steps to avoid potential compromise. Still, the problem persists, with insider issues ranking as the top threat month after month and year after year. How much security advice are employees really hearing and taking to heart? Can companies convince them to care about network security?

Double the Danger

The ubiquity of mobile devices and frustration with security controls are the two main factors that contribute to human-driven security risks. Infosecurity Magazine noted that, according to exclusive Symantec research, just 15 percent of surveyed employees set their mobile devices to automatically update security settings.

Even more worrisome, only 54 percent “were able to confirm that security on the device was up to date at all times,” while 53 percent used their personal devices for work outside the workplace, even though 13 percent of staff had “no idea” about the security status of their device. Add in public Wi-Fi connections, phishing emails and the inherent risks of social media, and it’s not a stretch to imagine mobile devices as the easiest way in for determined fraudsters, especially as enterprises increase mobile device permissions to empower remote workers.

The other issue is that employees often feel restricted by current security measures and, in some cases, are prevented from effectively doing their jobs. According to SC Magazine, that’s why medical staff “routinely ignore” IT security rules. Regulations that exist to meet compliance standards or protect critical assets often fail to account for medical professionals’ need for quick access to essential data, leading to a culture of technology workarounds that allow staff members to complete essential tasks but place organizations at risk of malware infections or ransomware attacks.

In many instances, employees aren’t the root of the problem. Instead, security staff members who “did not sufficiently consider the actual clinical workflow” are responsible for increasing total risk, according to SC Magazine. The same issue applies to other industries. For example, IT staff committed to reducing potential cloud security breaches may restrict the ability of employees to complete day-to-day tasks by limiting app use, driving the development of shadow IT culture. So it’s no surprise that, while employees are present for security training, they’re not interested in adopting network security best practices.

Cultivating a Culture of Network Security Awareness

To shift employee focus from IT workarounds to embracing security strategy, enterprises must address four key areas of concern.

1. C-Suite Support

Without top-level support for training programs, ongoing employee education and the budget to monitor metrics over the long term, efforts to shore up staff security are doomed to fail. As noted by Information Security Buzz, it’s critical for IT employees to link potential breaches with business outcomes such a reputation loss, monetary cost and the impact to line-of-business objectives. This helps establish network security as a top concern and ensures that enough money is available to effectively train employees.

2. End-to-End Process

How do employees interact with the corporate network? Where are most access requests coming from? What type of applications are staff members using to improve productivity and efficiency?

While it’s possible to design and implement security controls that run counter to existing processes, this is a hard sell that requires constant vigilance and reprimands from IT, since employees will do everything they can to obey the letter of the law while circumventing the spirit. By seeking out staff input and attempting to incorporate existing tools wherever possible, IT teams can help onboard staff rather than face continual opposition.

3. Talking the Talk

As noted by Forbes, positive communication can boost productivity, improve workplace stress management and increase employee engagement. This means tossing doom-and-gloom speeches and hard talk about consequences for more positive methods that focus on employees’ abilities and opportunities. As a result, employees will be primed to better remember lessons learned in training, manage stress if IT incidents occur and engage in the learning process.

4. Analytics

No matter how good the training method or how engaged the employees, perfect network security is impossible. Employees occasionally make mistakes, forget what they’ve learned or choose speed over security. End-user experience monitoring tools can help fill this gap by providing the hard data IT professionals need to discover the root causes of security issues or address specific employee practices.

Think of it like the difference between self-reporting and outside observation: Even when staff members are entirely upfront about their behavior, there may be device risks or compromised applications that impact network security but are beyond at-a-glance observation.

Empower Your Employees

Employees are the top risk to enterprise security. Better training can help alleviate this issue, but engaging employees takes more than PowerPoint presentations and hard-line security policies. By obtaining C-suite support and prioritizing user processes, enterprises can leverage positive communication and end-user monitoring software to empower network security.

 

 

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today