I recently read an article by one of the leading cyber security consulting firms stating that employees are your greatest security risk. To be honest, it made me angry at how lazy and uniformed most of the world is about cyber security. There are invisible risks inside your organization far more dangerous than employees. These are internal policies, work processes and other elements that drive unsafe cyber behavior in employees.
Employees don’t go to work every day with the intention to be unsafe or to cause cyber problems. Studies show that only a small faction of employees are bad actors. Some come into the organization with the intent of theft or harm, others become angry or disenfranchised with how they are treated. Yet this is a very small percentage and there are now several behavioural and digital tools to help spot these few trouble makers.
But we also know that 80% of breaches have a human thumbprint. So why are normal employees, at all levels, involved in cyber breaches?
Employees are not your greatest security risk.
Employee cyber mistakes and errors are not deliberate. Your employees live and work in an organizational ecosystem that contains numerous causal factors that influence employee attitudes and actions. Think of a fish tank. If the fish are sick or behaving oddly, it’s not the fishes’ fault. It’s the dirty or toxic water in the tank. Keep the water clean and the fish will be healthy.
An organizational ecosystem is a combination of internal policies, work practices, management goals, peer pressure, compensation formulas, and other elements that can influence employee attitudes and behaviors. Most company policies and processes are designed to manage costs, improve sales and profits, or comply with regulations. Few organizations think about the impact these elements have on human behavior. An organizational ecosystem can unwittingly promote and reinforce unsafe or risky behaviors.
Bonus compensation formulas are a great example. Excessive bonuses were the main reason for the casino-like cultures in investment banking that resulted in billions of dollars in fines for excessive risk taking and fraud. The huge personal bonus opportunity heavily influenced risky and even fraudulent behavior.
A Bad System Will Beat a Good Person Every Time - W. Edwards Deming
A simple, yet real example of how internal processes drive employee unsafe cyber actions can be found in organizations where the cyber threat notification process, or the email phishing alert process, is so cumbersome that many employees, pressed for work deadlines by management, simply ignore the process. Alternatively, one of our clients developed a simple, one-click process to report any suspicious email, resulting in a huge reduction in successful phishing attacks.
Change the system, change the results
To build a strong and safe cyber security culture, it is important to identify the hidden elements in the organisation that may be driving unsafe behavior and actions. The ecosystem dynamics model developed by PYXIS visually maps the influencing factors on cyber security, using quantitative and qualitative company data and information. Here we see an example of how multiple internal organizational factors, linked together as a system, collectively impact the overall risk dynamics associated with cyber safety.
Making the Invisible Visible
Do you know the causal factors in your organization that influence cyber safety? Do you know which are enablers and which are potential risks? It’s time to proactively manage and improve cyber safety, not just play defense.