post image
Employees may face serious negative consequences for accidental data breaches. Here’s why the blame game is the wrong path to take. (Markus Spiske photo)

Cybercriminals, like any criminals, seek to exploit weakness. When the world suddenly switched to working at home — a major disruption that sometimes involved working on unsecured networks — cyberattacks spiked.

“Since last year, there’s been a boom in phishing and ransomware attacks,” said Mac Pham, senior manager at Paris-based digital strategy and management consulting firm Vona. He pointed out that the National Cybersecurity Agency of France (ANSSI) found that ransomware reports in the country increased 255 percent in 2020.

A study by Emeryville, California-based security company Tanium revealed that 98 percent of executives surveyed said they experienced security challenges within the first two months of the pandemic. At the same time, 90 percent of information-technology leaders said they experienced an increase in cyberattacks after people started working from home.

“The almost-overnight transition to remote work forced changes for which many organizations were unprepared,” Tanium Chief Information Security Officer Chris Hodson said in a statement.

The Tanium study, which polled 1,000 executives in the U.S., the U.K., France and Germany, found that the most common attacks involved data exposure (38 percent), business e-mail or transaction fraud (37 percent) and so-called phishing (35 percent).

Why cybersurveillance may be the wrong move

Another study of 200 IT and cybersecurity professionals by Irish cybersecurity firm Malwarebytes found that since the beginning of the pandemic, remote work has been the cause of security breaches in 20 percent of organizations. As an example of the flood of malicious attacks, the U.K. National Health Service was hit with 40,000 spam and phishing attempts between March and mid-July of last year.

An IBM study put the global average cost of a data breach at $3.86 million in 2020.

With numbers like these, the first impulse may be to clamp down by installing surveillance software — “tattleware” — to monitor the behavior of workers. However, such tools can raise an organization’s legal risk, especially within the European Union, where stringent local and/or regional laws and regulations may apply.

A subsidiary of Swedish clothing retailer H&M learned this lesson the hard way when it was fined 35.3 million euros ($42.6 million) because a monitoring program was found to violate employees’ civil rights.

Legal penalties are not the only risk — the use of such software may damage employee-employer relations if employees feel that they are not trusted.

Strengthening ‘the weak link’

In fact, companies may install the most sophisticated technology in the world and still have cybersecurity problems, experts say.

“The issue is not the technical side,” Vona’s Pham said, noting that technical systems were generally very efficient. “The weak link is the human being.”

Security risks can result from mundane actions such as leaving screens unlocked when a worker away from a computer, using USB drives with unencrypted data, opening unknown e-mail attachments, using weak passwords and downloading unapproved software.

“In many cases, individuals are afraid to report even the smallest breach as they fear they might lose their job,” Richard McBarnet, managing director of Lumina, a British business IT support company, wrote on a company blog. “So they try to fix the problem themselves, which increases the likelihood of leaving a breach.”

Instead, experts say companies should create a positive reporting culture so even small breaches are reported to the appropriate experts, such as the company’s IT/security department. Systems, rules and training should be established — before the need for them becomes all too obvious.

In addition to safeguarding a business and its data, reporting protocols are required by the EU’s General Data Protection Regulation. Companies subject to this regulation must report data breaches involving personal information within 72 hours.

Still, people must be willing and able to report, and the organization must be willing and able to learn, Erlend Andreas Gjære, co-founder of Norwegian cybersecurity firm Secure Practice, writes on his blog

Involving employees in security protocols

Gjære advises that reporting a security incident should not involve a lot of extra work for the person who reports it. More important, employees should not fear being blamed or punished. He said the point is to get the information quickly so the problem can be addressed and resolved as soon as possible.

One way to address accountability is to implicate employees in creating an improved system, Gjære said. This involves talking to employees, in a nonjudgmental manner, to find out why they engage in risky behavior. This could result in improved or clarified procedures, or with the initiation of staff training.

People also must understand the reasons for security protocols. If employees don’t comprehend the possible negative consequences of their actions, they may disregard security procedures, Gjære emphasized.

“People want a good workplace, and they will usually appreciate an opportunity to influence it,” Gjære said. “For cybersecurity, it means that everybody knows that reporting suspicious events will help the company protect itself against criminals. This may have to be stated explicitly.”

The David Hasselhoff solution

Gamifying security procedures can help raise employee awareness and motivation, as one Norwegian company found out. Employees of Oslo-based Admincontrol gained points for reporting suspicious e-mails and the most active contributor was rewarded.

“It is obvious that gamification can crank up the engagement,” Admincontrol security manager Ole Martin Refvik said in a statement.

At an awards ceremony to honor the most active contributor, “some had found it a bit unfair that others had received more phishing attempts than themselves!” Refvik added.

At Lumina, one internal problem was that staff often left their workstation without locking their computer. To counter the behavior, whenever a screen was left unlocked, someone would change the desktop wallpaper to a photo of actor David Hasselhoff. The person who had been “Hoffed” the most that week had to buy beers for the rest of the employees.

“It was a fun way of making a serious point that a company’s security is only as good as its weakest link,” Lumina’s McBarnet wrote.

Blame-free reporting ensures fast reporting

Though people may be the weak link in cybersecurity, they are also the key to preventing cybercrime. For Vona’s Pham, that’s why it’s clear that employees should be encouraged to report and not be punished for doing so.

Cyberattacks are becoming more and more sophisticated because hackers now come well prepared, he said. Rather than — as in phishing scams of old  — pretending to be a Nigerian prince who needs a little cash advance, new hackers use social engineering techniques to send a personalized e-mail, with your name and based on your job position and contacts.

Therefore, it’s understandable that people would trust these personalized e-mails. Even more sophisticated cybercriminals go “big game hunting” to target specific firms and high-profile individuals with ransomware attacks that may unspool over months, Pham said.

In the face of criminals’ new sophistication it’s “common sense” that employees should not be reprimanded for reporting risks or accidentally falling victim to scams, he added.

“It’s like any security measure,” Pham said. “For example, you lose your badge, so it’s natural you mention it. There’s no reason you should be punished. The same thing if you opened a file attached to an e-mail or clicked on a link.”

Blame-free reporting helps assure that a threat is detected and addressed rapidly, he added.

“The IT department of course prefers to know immediately if something happened rather than even an hour later,” by which time malware may have spread throughout the company, Pham said.

You Might Also Like:

Comments

Leave a reply

Your email address will not be published. Required fields are marked *