Poor employee awareness, and more worryingly low employee engagement, is a significant challenge for many organisations working to maintain and improve their cyber security posture.
Whilst there’s a multitude of industry reports regarding this topic, two of the most startling stats published is that 25% of employees say they just don’t care enough about cybersecurity to mention an incident and 20% of employees say they don’t care about cybersecurity at work.
With employees viewed as the weakest link in an organisation’s cyber defences, stats like these must send shivers down the spine of CISO’s.
Of course mistakes happen because we are all human and therefore vulnerable, however the lack of desire to support an organisation’s cyber strategy and policies not only makes the security team’s role more challenging, it raises the risk of a security breach significantly damaging the reputation, brand and value of the organisation.
Why might employees not care about cyber security?
There are many reasons why employees may, consciously or subconsciously, have a lack of interest and not play their part in helping to keep their organisation cyber secure:
- Lack of awareness of the nature/type of cyber attacks
- Poor knowledge of internal security policies, not knowing what to do
- Feeling under pressure, not enough time, too many tasks etc, contributes to mistakes being made
- An unsupportive culture, perhaps where there is a perception that staff are penalised for mistakes, can deter others from speaking up and reporting incidents
- Home/hybrid working and BYOD, both have blurred the lines of work/life behaviour
- Distraction, whether from home working, personal issues or workload pressure, causes lack of focus and attention
- Fatigue, such as that caused by too many tools or multiple passwords, impacts on motivation, awareness and decision making
- Feeling generally overwhelmed by work, life or both, greatly reduces cognitive ability
- Dissociation, where an individual feels disconnected from their workplace, can contribute to low enthusiasm
As the volume of cyber attacks is constantly increasing, and becoming ever more sophisticated, low employee awareness and engagement and apathy contributes to a ‘perfect storm’ of cyber security challenges.
Combatting employee apathy
Whilst it can feel like the goalposts are constantly moving, because they are, resilience and consistency is key in building a culture of trust and confidence to overcome employee apathy to cyber security:
- From updates to upgrades to consolidation, organisations must continue to maintain investment in the latest cyber security technology required to support employees to work effectively and securely
- Utilise the knowledge and wisdom of highly qualified and experienced cyber consultants and security analysts who can take the pressure off internal security teams
- Develop and implement a regular programme of cyber security awareness training, ensuring the training is to up to date, relevant and timely
- Verizon’s data breach report stated that 43% of security breaches involve phishing. To raise awareness internally of phishing attacks, you should regularly undertake random phishing assessments
- Build a culture of trust and confidence, reward and recognition go a long way in influencing behaviours, driving enthusiasm and inspiring others
- Support team members with their mental health and in maintaining a positive work/life balance. Humans are the biggest vulnerability of your business, wellbeing can be impacted by so many internal and external factors, and in turn can impact the success of your cyber security strategies.
Infosec Partners helps organisations to develop and maintain a strong cyber security posture. We provide consultancy, awareness training, and managed security services to organisations of all sizes, supporting them to overcome the cyber challenges of today’s fast paced world. Get in touch if you would like to find out more.