Skip to main content

Problems of Employee Security Insensibility

· 7 min read
Paige Haines
Paige Haines
Cyber Capability, Education, and Training Consultant
Employee Insensibility Thumbnail

A breakdown of common organisational security pitfalls and how human factors affect cybersecurity resilience.

Data breaches have become increasingly common as our technical landscape shifts to new heights (with new threats), and as such austere countermeasures are constantly being implemented in organisational Information Security processes. Among Australia’s notifiable data breaches is an unfortunate trend that manifests a terrible problem — data breaches caused by human error. This very security dilemma stems from a combination of both inadequate training and a lack of straightforward information made for the regular employee.

As demonstrated throughout history, humanity continues to prove that they are the weakest link under many different circumstances, and Cyber Security is no exception to this. One’s proclivity to keeping life as simple as possible, through limiting complicated, elaborate tasks seems to outweigh the responsibility of keeping information secure. Research conducted by the OAIC reveals that at least 30% of all breaches are a result of the illustrated dilemma above: the mishandling of sensitive information and the exploitation of human elements that directly or indirectly cause major security incidents.

InfoSec professionals are fervently scrambling to secure business assets from threat actors. Through the implementation of security processes informed by systematic analysis, the confidentiality, integrity, and availability (CIA) of organisational information can be better protected. Despite these expensive, and somewhat esoteric initiatives, research by Statista reports that data breaches are costing an average of $6.6B AUD (yes with a ‘b’!) per leak, and this figure is increasing each year.

As our technology becomes more robust, so too does the strength of our adversaries. Thus, our procedures, protocols, and defenses must advance in parallel, otherwise the impact of these threats may continue to get worse.

Cyber Security tends to be quite a polyvocal topic within internal teams, and as such it can be difficult to pinpoint the steps needed to better educate employees on their responsibilities in relation to their information management. Historically, malicious hackers will prioritise maintaining persistence on an organisational system as this information is incredibly lucrative on a black market. As much as 88% of breaches involved an individuals contact information, such as names, addresses, and phone numbers to be stolen by threat actors.

Although solutions for these problems can come with some dollars to invest, and a chat over coffee with an outsourced Cyber Security expert, the technical expertise of someone who has worked in the industry for many moons is more often than not one of very high technical understanding. This does not translate to the everyperson, whereby something so obvious to an expert is simply junk info for an employee. The ability to translate these ideas into tangible information to your everyday administrator is the first step in a strong cyber defense.

I mentioned an ‘outsourced’ Cyber Security expert in the paragraph above, and the reason being is that although companies have encouraged the development of large IT teams, we don’t see this too often for CyberSec.

More often than not, these IT employees are expected to take on the role of de-facto Cyber Security professional which can lead to some knowledge gaps. In saying this, companies should consider developing a Cyber Security team in which their aim is to not only provide dedicated experience to cyber defense, but also advocate for more diverse training opportunities. A lack of these types of professionals in a business means that in the event of a cyber attack, the loss of trust, finances, and data is far greater than it could have been.

It is not uncommon to work at a company that provides little to no technological induction nor any further training on protecting one’s information. These experiences demonstrate another fundamental problem of employees being responsible for data breaches, and that is the lack of constant, and frequent training by these cyber professionals. This lack of Information Security Awareness (ISA) means that employees are often left to answer their own questions, and therefore create unsafe, penetrable solutions to their IT problems.

We see this in circumstances in which employees forget to lock their computers as they leave the room, connect to unsecured Wi-Fi networks (god forbid it’s a Rogue AP), or create easily hackable passwords.

The most obvious solution to this seems to be to create a procedure in which more senior employees teach their downline the correct method of data protection. However, this can set a dangerous precedent. Whilst a senior employee may teach various methods, there is no way to confirm whether these methods are actually safe, and informed by legitimate legal procedures.

It may seem like there is no foolproof way to appropriately prepare employees for protecting their devices, and this is true. Regardless of advocacy, training days, and well-informed procedures, there will always be room for error. Yet, there is always the opportunity to mitigate risks. Choosing to work alongside an organisation that can present the more technical information to employees in a more rudimentary way, (such as ITConnexion’s Cyber Security Awareness Training which involves fully simulated attacks for hands-on threat prevention experience), employees have the ability to better understand how to deal with these types of threats in a simulated environment. This gives them the perfect leverage if the situation ever actually happens.

Just like Fire Warden training or CPR training, ISA processes are created to mitigate risks and protect employees (and their information) which means there should be importance placed on this type of training just like its WHS counterparts. InfoSec is already becoming a prevalent part of the day-to-day operations of private and public sector corporations, so getting ahead of the curve and being proactive comes at a much better long-term benefit than being reactive.

As the main messengers of information in the company and to consumers, it is more important than ever to make sure employees truly understand – in a way that they understand — how imperative it is to protect their devices. In addition, the consideration of employing a Cyber Security professional (just like a company would hire an HR professional, or a financial controller) should become a higher priority as more cyber threats present themselves.

Whilst we may not be able to remove the human element in Cyber Security, we can find many, creative ways to mitigate potential losses through these methods.

We are only as strong as our defense against these threats, so awareness on a wider scale for all employees is imperative as threats become more sophisticated and dangerous. The number of data breaches as a result of human error will never be zero, but any circumstance where less data is lost is a win. If you take anything from this post, I implore you to consider supporting employees as a proactive measure of security protection.

Cyber Security is just as exciting as it is scary. It is through advocacy, and support from professionals in the field that employees will feel that their actions will directly help an organisations defense, which is the type of security utopia we want to work towards.