A punitive approach toward employees reporting data breaches intensifies problems.
Experts are warning, when it comes to cybersecurity, blaming users is a terrible idea. Doing so likely results in creating an even worse situation. “Many organizations have defaulted to a blame culture when it comes to data security,” comments Tony Pepper, CEO of Egress Software Technologies, in an email exchange. “They believe actions have consequences and someone has to be responsible.”
“In cases where employees report incidents of data loss they accidentally caused, it’s quite common for them to face serious negative consequences,” continues Pepper. “This, obviously, creates a culture of fear, leading to a lack of self-reporting, which in turn, exacerbates the problem. Many organizations are therefore unaware of the scale of their security issues.”
Pepper’s comments are based on findings gleaned by the independent market research firm Arlington Research. Analysts interviewed more than 500 upper-level managers from organizations within the financial services, healthcare, banking, and legal sectors.
What the analysts found was published in the paper, Outbound Email Security Report. Regarding employees responsible for a loss of data, 45% of those surveyed would reprimand the employee(s), 25% would likely fire the employee(s).
SEE: Identity theft protection policy (TechRepublic Premium)
Pepper suggests while organizations may believe this decreases the chance of the offense reoccurring, it can have a different and more damaging effect. There’s a chance employees may not report security incidents, to avoid repercussions from company management.
“Especially in these uncertain times, employees are going to be even less willing to self-report, or report others, if they believe they might lose their jobs as the result,” adds Pepper.
It gets worse
According to survey findings, a high percentage of organizations rely on their employees to be the primary data breach detection mechanism–particularly when it comes to email. “Our research found that 62% of organizations rely on people-based reporting to alert management about data breaches,” mentions Pepper. “By reprimanding employees who were only trying to do their job, organizations are undermining the reporting mechanism and ensuring incidents will go unreported.”
The lack of truly understanding why data is escaping the digital confines of an organization makes it hugely difficult for those in charge of cybersecurity to develop a defensive strategy that will effectively protect an organization’s data.
Overcome the blame game
Once it is understood that reprimanding employees is ineffective, organizations should look to create a more positive security culture. One immediate benefit is the increased visibility of heretofore unknown security risks.
Another benefit is the ability to show regulatory bodies the organization has taken all reasonable steps to protect sensitive data. Pepper adds, “If you don’t know where your risks are, it’s hard to put reasonable measures in place. Regulators could surmise that during a data breach investigation and levy higher fines and penalties.”
Technology has a role
Once the blame game is curtailed, it’s time to get technology involved. “The first step is to get reporting right, using technology, not people, which will remove the pressure of self-reporting from employees and place the responsibility firmly in the hands of those in charge of cybersecurity,” suggests Pepper. “Advances in contextual machine learning mean it’s possible for security tools to understand users and learn from their actions, so they can detect and mitigate abnormal behavior–for example, adding an incorrect recipient to an email.”
This is where technology makes all the difference. It prevents accidental data loss before it can happen. It empowers employees to be part of the solution, and technology gives the security team unbiased visibility of risks and emerging threats.
What cybersecurity teams need to understand
Education about potential consequences is vital. Anyone working with the organization’s digital assets needs to understand the possible outcomes from a data breach–for example, regulatory fines or damage to the organization’s reputation.
It’s a safe bet when users understand the consequences of emailing client data to the wrong recipient or responding to a phishing email, they’ll be much more likely to report the incident if and when it occurs. Remember: If an incident isn’t reported, there’s no way to remediate it or prevent it from happening again.
Pepper, in conclusion, offers advice to those managing cybersecurity. “The best way to engage employees with security, and ensure they understand its importance, is to create a ‘security-positive’ company culture,” explains Pepper. “Security teams need to reassure the wider organization that, while data breaches are to be taken seriously, employees who report accidental incidents will receive appropriate support from the business and not face severe repercussions.”