Employees are NOT your greatest security risk

I recently read an article by one of the leading cybersecurity consulting firms stating that employees are your greatest security risk. To be honest, it made me angry at how lazy and uninformed most of the world is about cybersecurity. There are invisible risks inside your organization, far more dangerous than employees. These are internal policies, work processes, and other elements that drive unsafe cyber behavior in employees.

Employees don’t go to work every day intending to be unsafe or cause cyber problems. Studies show that only a small fraction of employees are bad actors. Some come into the organization with the intent to commit theft or harm; others become angry or disenfranchised with how they are treated. Yet this is a very small percentage, and there are now several behavioral and digital tools to help spot these few troublemakers.

If 80% of breaches have a human thumbprint, why are normal employees, at all levels, involved in cyber breaches?

Employees are not your greatest security risk.

Employee cyber mistakes and errors are not deliberate. Your employees live and work in an organizational ecosystem with numerous causal factors influencing employee attitudes and actions. Think of a fish tank. If the fish are sick or behaving oddly, it’s not the fish’s fault. It’s the dirty or toxic water in the tank. Keep the water clean, and the fish will be healthy.

An organizational ecosystem is a combination of internal policies, work practices, management goals, peer pressure, compensation formulas, and other elements that can influence employee attitudes and behaviors. Most company policies and processes are designed to manage costs, improve sales and profits, or comply with regulations. Few organizations think about the impact these elements have on human behavior. An organizational ecosystem can unwittingly promote and reinforce unsafe or risky behaviors.

Bonus compensation formulas are a great example. Excessive bonuses were the main reason for casino-like cultures in investment banking, resulting in billions of dollars in fines for excessive risk-taking and fraud. The huge personal bonus opportunity heavily influenced risky and even fraudulent behavior.

A simple yet real example of how internal processes drive employees' unsafe cyber actions can be found in organizations where the cyber threat notification process, or the email phishing alert process, is so cumbersome that many employees, pressed by management to meet work deadlines, simply ignore it. Alternatively, one of our clients developed a simple, one-click process to report any suspicious email, resulting in a huge reduction in successful phishing attacks.

Change the system, change the outcome.

To build a strong and safe cybersecurity culture, it is important to identify hidden elements within the organization that may be driving unsafe behavior. The ecosystem dynamics model developed by PYXIS Culture Technologies visually maps the factors that influence cybersecurity, using both quantitative and qualitative company data. Here we see an example of how multiple internal organizational factors, linked together as a system, collectively impact the overall risk dynamics associated with cyber safety.

A cybersecurity ecosystem map looks something like this, where internal company data is used to code each cybersecurity causal factor on a red-to-green risk scale. Each high-risk causal factor can then be explored and improved to reduce its impact. Such a causal factor map also helps employees at all levels identify, understand, and help mitigate the hidden risks and causal factors.

Making the Invisible Visible

It’s time to proactively manage and improve cyber safety, not just blame people.

About PYXIS Culture Technologies

PYXIS Culture Technologies helps organizations understand and improve the cultural drivers of performance, safety, and cyber resilience. By combining deep research, operational experience, and advanced culture analytics, we help organizations close the gap between strategy and everyday behavior.

The PYXIS approach is effective:

• We treat culture as a systemic business issue, not an HR initiative.

• We identify key internal business practices that create performance and risk challenges and provide effective solutions you can immediately implement.

• We link organizational culture to business and financial metrics, showing a clear ROI for strengthening alignment and performance. 

Connecting the dots

If the ideas above resonate with what your organization is facing, it may be worth exploring what a structured diagnosis of your cybersecurity culture would reveal. You can find out more about how PYXIS works on the PYXIS Culture Technologies website.

About the Author

Christiane Wuillamie OBE is an advisor to senior leaders on cybersecurity culture and IT transformation. She has decades of experience advising boards and executive teams across Fortune 500 and FTSE 250 organizations. Christiane is a successful entrepreneur and business executive who founded a pioneering IT services company and grew it 100% year on year into a multimillion-pound enterprise, achieving a successful trade sale in 2001. Christiane’s passion is blending technology, agile tools, and cross-functional business processes with culture change to drive business transformation projects that deliver greater business agility, speed to market, and a

 significant competitive advantage.

Where is the murky water in your organization right now? The places where incidents go unreported and new hires are swimming without cover? I'd welcome your thoughts in the comments. To see how Pyxis maps the hidden drivers of cybersecurity culture and turns them into measurable action, visit www.pyxisculture.com.