There are lots of reasons to fear a cyberattack on your business. Ultimately, it doesn’t really matter what kind of damage has been caused. The bottom line is that it can be financially devastating for any business. It’s also clear that cybercrime is on the rise. Every few days there’s another report of an organization that’s been successfully targeted. Essential and sensitive data is held to ransom or sold online. Damage control and recovery after a cyberattack is expensive and can cause serious downtime.
Most businesses are now well aware of the dangers of cybercrime, and have taken measures to protect themselves. Those include technological solutions, as well as better training of staff, who are the frontline defense against hackers and scammers. However, this isn’t a failsafe solution, and hackers are always devising new ways to carry out their schemes.
What More Can You Do?
With the rapid growth of cybercrime year on year, businesses need to take all possible steps to protect themselves. One thing has become apparent. Throwing money at the problem isn’t enough to keep the threats at bay. Although it’s vital to budget generously for cybersecurity measures, simply increasing spending on cyberprotection won’t solve the problem. Technology doesn’t work in a vacuum, and a significant factor in cybersecurity failures is down to human error or unwitting negligence.
There are many opportunities for cybercriminals to perpetrate their scams, and exploiting poor cybersecurity protections is one of the ways that they succeed. They also know that exploiting user behavior is a winning strategy. Instead of hacking into a system and planting malware, it’s so much easier for them to con an employee into inadvertently doing it for them. All it takes is one click on a link in an email or one download of an infected attachment and they’ve achieved their objective. What can be done to make sure that staff are vigilant and diligent in protecting your IT?
Employees – the Weakest Link?
It seems obvious that best practices for cybersecurity should be observed by all staff, all of the time, but errors are always possible. The potential for error has been exacerbated with the recent expansion of remote working, which creates additional possibilities for mistakes to happen. IT professionals sometimes regard employees whose actions open the door to cyberattacks as simply ignorant, or sometimes as malicious. In reality, this isn’t generally the case. Very often it’s a product of workplace stress and pressure.
The Harvard Business Review researched the problem and found that stress plays an important role in cybersecurity breaches. The study examined user behavior over a ten-day period. Two in three employees did not adhere to cybersecurity protocols at least once during this time. Those policies and best practices were ignored approximately 5% of the time. That’s more than enough to open the door to a cyberattack and constitutes a significant risk. Only 3% of incidents qualified as malicious or acts of sabotage.
What’s Going On?
The figures suggest that most employees followed procedures nineteen times out of twenty. Why do it right most of the time and then fail? The study showed that there were clear reasons for this behavior. The most commonly cited reasons were:
- In order to be more effective in completing the task at hand
- To obtain something that was deemed necessary
- To assist others in achieving their work goals
These three reasons accounted for 85% of the motivations given for non-compliance with security protocols. It shows also that people were well aware that they were breaking the rules and taking shortcuts. It’s also important to note that these breaches were not because of laziness or sloppiness. It was done in the interests of getting through the workload. It’s about perceived priorities. They find themselves between a rock and a hard place: either get the work done or adhere to the security policies, which means being less productive.
It’s perfectly logical if you think about it. People feel that they’re hired to do a job, and getting the job done is what they’re going to do. Cybersecurity practices can be an obstacle to that. It’s hard to blame people for trying to do their best, especially if they have no say regarding workplace practices.
Effective Cybersecurity Training
It’s clear that productivity wins over cybersecurity adherence in the minds of most people. People are rewarded for being productive employees. No-one gets praised for NOT enabling a cyberattack. One way to approach the problem is to appreciate that people behave as they do for good reasons, not because they’re sloppy, let alone malevolent. If blame has to be assigned, it needs to be considered that managers may have unrealistic expectations of their staff.
Bring Employees On Board
There’s no doubt that the way to address the problem is for management and IT staff to consult properly with the people who are actually having to deal with the policies they devise. It’s not realistic to expect people to prioritise network security over fulfilling the demands of their role. Sometimes the two just aren’t entirely compatible. Let’s remember too that most people are compliant most of the time, even if this does sometimes interfere with getting their work done efficiently. People work better when they can focus on one thing, without other things getting in the way. It takes effort on the part of management to devise acceptable solutions that take account of these factors.
It never hurts to keep reminding people of the importance of cybersecurity, but it’s important to be encouraging. As is so often the case, rewards for compliance are likely to be more effective than reprimands for non-compliance. It may seem absurd to celebrate people who are following the rules but if it means that people are more motivated to be diligent about cybersecurity it will be worthwhile.
If you need assistance with implementing effective and user-friendly cybersecurity policies, Quikteks is here to help. Call us today at (973) 882-4644.