Do employees threaten your company’s security?
By Simon Bowyer, Senior Consultant, Human Performance, QinetiQ
In 2015, an auditor from Morrisons with a grudge was jailed for leaking personal data, including bank details, of 100,000 other employees. It cost Morrisons more than £2 million to rectify. In 2016, a small hair salon in Gloucestershire was victim of a ransomware attack that left it locked out of its appointment and booking system, which contained client contact details. The salon owners decided to pay the ransom and estimated that the attack would cost them a total of £6-7,000.
The common cyber risk factor all businesses face, regardless of size, is the behaviour of its employees. Impacts on small businesses can be just as big, with the attack on the hair salon threatening the existence of the business. If repeated on a wider scale (there are 35,500+ UK registered hair salons), it could potentially be as damaging to the economy as an attack on a single large enterprise. Extrapolate this situation to all the sole traders and small to medium businesses across Europe, and the potential impact to job security and the wider economy is significant.
Adherence to the concepts and suggested applications of the new European-wide General Data Protection Regulation (GDPR) will assist organisations control and monitor the integrity of the personal data in their possession.
‘Training’ employees is not enough
Every organisation must recognise there’s no ‘one size fits all’ solution and no silver bullet to changing employee behaviour. Simply telling employees to ‘be better’ or assuming that training alone will provide the answer is, in today’s world, too simplistic. Cyber security is a complex set of interactions between people, technology and the organisational environment, as shown in figure above.
Every organisation needs to give time and thought to the risks it faces, how it protects itself, and the vulnerabilities that exist. Understanding the people-related risks and how they link into wider technological and organisational systems is a key part of this, and something that QinetiQ is highly experienced in. Understanding employee behaviour is a critical part of this process; key questions we ask clients are:
Do employees know what to do?
This is about enabling employees to know what to do in critical situations. For example, do your employees know what to do if there’s a fire in your building? Do they know what to do in the event of a cyber security attack?
An important aspect of enabling employees to know what to do relates to the organisation’s ability to provide a consistent coherent story as to what’s important and why. Organisations must support this story through provision of appropriate behavioural cues (e.g. signs) that subtly remind employees how they should behave when these situations arise. Key questions for organisations to explore are:
• Do we communicate the message clearly enough?
• Have we articulated our security values?
• What are the behavioural norms of our leaders?
• Is there sufficient awareness of our security requirements?
• Are there appropriate artefacts and cues in the environment to encourage people to adopt the desired behaviours?
Are employees able to stay secure?
Employees are rarely recruited because they’re good at security. Additionally, technology and systems aren’t always designed with the human in mind, e.g. the ever-increasing complexity of passwords can frustrate users when they’re unable to complete tasks because they can’t recall them. Additionally, people are required to memorise multiple passwords and change them on a regular basis.
Writing passwords down is a behavioural issue that creates weaknesses in the security system. It’s also, in some cases, the inevitable outcome of designing a security system that most humans are unable to comply with – they don’t have the memory to enable adherence to the process. Key questions that organisations should explore when considering the ability of employees are:
• Do they have the skills to stay secure?
• Do our ways of working, support them in doing it?
• Do they have the technology they need?
Are employees willing to act securely?
This is an important issue that relates to motivation and engagement of the workforce. Research on employee engagement shows that it has a positive relationship with a range of business outcomes, with security no exception.
System designers also need to address the ‘line of desire’ to prevent users from developing their own unintended shortcuts when working on systems; these tend to occur where security systems make it less efficient or more difficult to complete a task.
Lastly, and perhaps key, it’s important to consider how much employees share the organisation’s values. Establishing shared values is a critical aspect of developing an effective organisational culture, without which it’s unlikely employees will consistently want to behave in desired ways.
Key questions to explore when considering if employees will act in a secured manner:
• How aligned are your employees values to the security values of your company?
• Does security (cyber or physical) add inconvenience or stop users from doing necessary tasks?
• Do technology and security processes directly support what they need to do?
For further information about any of the discussion points in this article, contact customercontact@QinetiQ.com