Careful there – a third of bosses say they’ll sack you if you cause a data breach.
That’s one of the findings in a new survey of CEOs and CISOs by security vendor Nominet.
The survey doesn’t look too deeply at the various ways employees can inadvertently raise the drawbridge to cybercriminals, but the consequences are clear: many senior executives see breaches as a failure of individuals, not technology or processes – or even themselves.
They’re more than ready to make individuals shoulder the blame.
They might well start by looking in the mirror.
As we’ve written recently, C-Suite executives often pose the biggest cyber threat to their own organisations, due to lax personal security habits or failing to prioritise cybersecurity in strategic planning.
The insider threat from malicious or errant staff is real, but those insiders could be anywhere in the organisation, from front to back office, or the boardrooms at corporate HQ.
Firing an employee for clicking the link in a sophisticated phishing email, or downloading an infected attachment that looked completely legit, seems more than a little unfair.
Let’s look at a recent example
When Equifax suffered a catastrophic breach back in 2017 – still one of the biggest in history – it exposed the detailed personal and financial information of 148 million people in the US, Canada, and UK.
Attackers gained and retained access to its systems for more than two months, moving laterally in the network until they found an unencrypted list of passwords. That gave them next level access to 48 databases containing unencrypted consumer credit data.
During their time on the network the hackers sent more than 9,000 queries to various databases, downloading data on 265 separate occasions. All undetected.
Human error caused the breach. There’s no doubt about that.
But who was really at fault?
A US House of Representatives committee determined that Equifax had left the door open to hackers by failing to implement a publicly available security patch – for a vulnerability deemed so serious that the US Department of Homeland Security had announced it some months before.
The company waited six weeks to disclose that its systems had been hacked. Then its former boss tried to blame a single IT employee for failing to add the patch in time – something the House Oversight Committee rejected outright.
It called the company’s cybersecurity systems outdated and full of vulnerabilities, and its attitude to data security ‘cavalier’.
Culture impacts security
The issue of company attitude is a serious one. Organisations have formal rules and procedures, but alongside those they have an informal ‘culture’ – a unique mix of formal and informal processes, customs, and behaviours that are a bigger factor in determining how people act at work than any rulebook or company manual.
Ideas and shared knowledge are part of the culture, forming a group ‘awareness’ that shapes conversations and influences how people react to certain stimuli – like the arrival of a well-crafted phishing email.
Leaving systems unpatched on a major and well-publicised exploit, leaving passwords and data unencrypted – are these are failures of culture, of processes, of individuals, or all the above?
Our view is:
Blame for breaches should be traced up and down the organisational hierarchy, not shifted onto a front line employee, or some poor system admin, buried under cables in a distant data centre.
Building a culture of security awareness
When you look closely at breaches, you’ll find that they are usually …
- Avoidable (patch when prompted!)
- Directly observable (9,000 queries in two months on Equifax’s case – and no one noticed)
- Or detectable when people have been educated to the signal behaviours of an attack on the network.
In cybersecurity and elsewhere, aligning formal procedures with informal processes is a major business challenge.
Employees have to be engaged in order to secure their buy-in and belief when the company says they should change how they do things in the workplace.
If they feel they’re just being talked at from above, or handed down rules that don’t fit the day-to-day workstyle of the office, it’s unlikely those rules will take hold.
But if they feel empowered, given knowledge and tools that enable them to act independently to avoid errors, they’re much more likely to embed them in normal workflow.
Train and empower
Everyone in the organisation has a role to play in cybersecurity. Companies can promote this in an ongoing way with security awareness training.
Research from Forrester shows that that only a quarter of workers know what to do when a breach occurs. That lack of knowledge needs to be addressed.
We can turn the tables on criminals by arming employees with the skills they need to identify attacks when they occur, or note a potential vulnerability as they’re going about their daily tasks – and report it.
Want to learn more about empowering your employees’ security defences? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.