By Boaz Fischer on Nov, 20 2018
The Path to Poor Security Is Paved with Good Intentions
Most employees are hard-working, and eager to please in their roles. In fact, many go out of their way to do their jobs efficiently and as best as they can. Yet, therein lies a potential threat.
How would you respond if you found out that your employees were the biggest contributors to poor security in the workplace? You’ll probably be astounded.
Employees can often view security policies as roadblocks to their progress. Instead of working with these protocols, many look for shortcuts to bypass them. In a CEB study, around 90% of workplace policies are being violated by employees. So why do employees behave in this manner? You’ll be surprised to know that this habit arises from a need to do their job quickly and efficiently.
In a result-oriented workplace, employees are usually stressed and pushed to deliver their best. With the pressure of deadlines, meetings and everything else in between, employees start looking for
solutions that allow them to accomplish their tasks as quickly as possible. At the end of the day, they’re producing results, right? So, they see no harm in the way they are working. However, violation of workplace policies by employees harms the business. It also makes the risk of insider threats becomes higher. The intent of the person is good, but the damage that their actions can cause will not be marginal.
Insider Threats with Good Intentions
Out of all the data breaches reported in 2017, more than 76% were attributed to insider threats. Insider threats arise because of errors but they may also be the result of wilful negligence or ignorance on the employee’s part.
Surprisingly, the employees are aware that their actions aren’t authorised. But as long as the work gets done quickly, taking the short cut is acceptable to them. Employees are also not aware of actions that can lead to data breaches. The following are some common shortcuts that most employees take which place the business under risk:
- Deliberate copying of sensitive data onto a personal cloud or backup system so that they can work on it at home or afterhours to meet deadlines;
- Copying sensitive data on to a personal thumb drives (USB) to access business data whenever they need to, in order to finish a project;
- Ignoring protocols and regulations that are placed for the protection and handling of sensitive data.
Take the example of what, happened to the IRS in 2014. An employee took a personal thumb drive home which contained the social security numbers, addresses, contact information and other sensitive data of over 20,000 people. This included data of all contractors and current and former workers of IRS.
Investigation showed that the device was used on the personal home network of the employee which was not secure and placed the data at risk. Luckily, the thumb drive was not used for malicious purposes and no misuse of the data was found. Despite the fact that IRS does have precautions and policies in place, the employee had chosen to overlook them so that they could work at home.
The Federal Deposit Insurance Corp also suffered a similar scenario in 2016. An employee downloaded sensitive data of over 440,000 customers on to an unauthorised storage device before going on leave. The theft was not noticed until three days later. The silver lining here is that the employee returned the data and also signed an affidavit, confirming that the data had not been misused in any manner. Again, the motivation behind the action was so that the employee could continue working to avoid facing the pile of workload, once they come back from leave.
In both cases, it is clear to see that despite the protocols and policies that the workplace enforces, the employees had no problems in bending the rules to get work done with ease.
Intentionally Overlooking Things
Many unauthorised actions that place the business at risk are actually frequently overlooked. This is because the business is just as focused on getting results as their employees are. They will often turn a blind eye to the way the employee is working, as the saying goes “the end justifies the means”.
The intent behind these actions and insider threats can also make a difference. The following are the three main groups, mainly:
- Malicious and Intentional – This is done deliberately by a disgruntled or angry employee. They know that their actions will hurt the business and are not afraid of the consequences;
- Non-Malicious but Intentional – This is done deliberately but not with any intent to hurt the business. The employee is focused more on improving their performance or getting the results they want;
- Unintentional – These are the most common ones and are chalked up to simple error where details have been misunderstood or mistakes are made.
Businesses usually focus on external threats, because they still have the mentality of “us vs them”. What’s inside the organisation is trusted and what is outside the organisation is untrusted. But more evidently, protecting the perimeter is by far easier than identifying a person behaviour and associated risk. Yet, data shows that unintentional data breaches occur more frequently than either malicious ones or external facing breaches. Interestingly, in the ChiefExecutive report indicated that 90% of all cyber-attacks are caused by Human Error or Behaviour.
Understanding the Way Your Employees Acts
While looking at the intent behind the action helps you understand the motivation behind the action, it still doesn’t answer why your employees are making mistakes. To get to the root of the problem, you have to look for the following different signs of employee behaviour in the workplace to understand why they behave the way they do. Is it because they:
- Have huge workloads with tight deadlines?
- Lack regular policy and procedure training?
- Have poor environment working conditions?
- Are bullied and harassed at work?
- Find work tiresome and boring?
- Find security practices a hassle and a roadblock to their productivity?
- Stressed at work?
- Are negligent and careless in their behaviour?
- Find it difficult, confusing and complex to follow organisation policies and controls?
- Lack perceived organisation support?
- Have poor personal habits - alcoholic, drug user, gambler and other forms of predisposition?
- Have health problems such as sleep difficulties can also cause poor performance at work?
All these actions can play a major influence in terms of how the employee performs, acts and conducts themselves. According to Gallup, the State of the current Global Workplace reported that 85% of employees are not engaged or actively disengaged.
Paying Attention to Your Workforce
Data breaches occur because businesses are not paying enough attention to the workforce. It is essential to strike a good balance with your team. If they are overworked and stressed, they will look for shortcuts to accomplish their tasks. Beyond that, they will most likely burnout. In due time, they will most likely leave the organisation. And if it hasn’t already happened, they will cause intentionally or unintentionally security incidents. This scenario is a recipe for disaster.
You need to make sure that you are providing them with the necessary tools to accomplish their tasks. And in the same time, it is necessary that you encourage employees to act in the interest of the organisation through rewards, encouragement, and other positive incentives.
If you want to engender positive behaviour within your organisation, there are three dimension that will help align employee interest with the employer interest:
- Job Engagement – Involves the extent to which employees are excited by and absorbed in their work;
- Perceived Organisation Support – Involves the extent to which employees believe their organisation values their contribution;
- Connectedness at Work – Involves the extent to which employees trust, feel close to, and want to interact with the people with whom they work with.
Question: How are you then engaging with your employees? How are you making their job more involved? How are you supporting them? And how do you encourage greater cooperation, creativity and teamwork within your organisation?
Need Help? Try Our Employee Engagement Assessment.
If you are concerned about possible disengagement level within your organisation or experiencing negative behaviour within your workforce, then we can help you overcome the potential risks that the “human element” may partake within your workplace with a simple Employee Engagement Assessment.
The Employee Engagement Assessment is designed to reveal strengths and opportunities for positive change in your organisation as well as identifying organisation culture risk.
The Employee Engagement Assessment evaluates common attributes that influence the level of emotional motivation, commitment, perceived support, and connectedness your employees feel about your workplace. The objective of this process is to turn intangible motivators into markers for progress and success and importantly reduce the potential risk in negative unintended and intended consequences.
For more information, reach out to us at firstname.lastname@example.org or contact us on +61 2 6282 5554.
Get in Touch with Us
if you need some more resource material, visit our website . There are plenty of other articles, and videos available for your perusal.
Have you downloaded our free Insider Threat eBook? You can find it here:
For more information, you can also send us an email at: email@example.com OR give us a call at: +61 26282-5554.