Ten days ago, the Harvard Business Review published an article titled: Research: Why Employees Violate Cybersecurity Policies.
According to the results of their research, deliberate violations are indeed what drives cybersecurity policy violations. But not because of malicious intent—but because of employee stress.
Here are a couple of quotes from the article:
“Our recent research, however, suggests that much of the time, failures to comply may actually be the result of intentional yet non-malicious violations, largely driven by employee stress.
“While IT specialists toil away to create better, smarter, and safer technical systems, there is one risk they can’t program away: humans.”
Highlights of their research results and recommendations:
Many Policy Violations Are Driven by Stress, Not Desire to Harm
Average employee failure to comply rate of once per 20 job tasks. The most common responses from employees for their failure:
- To better accomplish tasks for the job
- To get something the employee needed
- To help others get their work done
There’s a Middle Ground Between Ignorance and Malice
The researchers contend that the wish to accomplish a task is sometimes in conflict with cybersecurity policy and recommend IT departments consider employee workflow in developing that policy.
Job Design and Cybersecurity Are Intertwined
Carrying out an organization’s cybersecurity policy can add to an employee’s workload and, therefore, should be incentivized, along with other job requirements.
Hackers Take Advantage of Altruism
The researchers found employees are more prone to violate cybersecurity policy when they’re helping somebody else.
Final Thought
Organizations must now urge their employees to slow down and weigh the source of each cyber communication before they act and recognize that workflow may be affected.
It is another useful strategy to help mitigate theft of intellectual property and improve overall cybersecurity hygiene.
Side Note: Remember one of the most effective and simple ways to protect your data: Multi-Factor Authentication.
Additional Reading:
Why Employees Must Be Hacker-Detectors—IP Probe Blog
Beware of: Business E-Mail Compromise (BEC)–IP Probe Blog
Disclaimer: IPProbe.Global is a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, regarding the content provided in IPProbe.Global. We disclaim all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such persons and the accuracy and validity of the information provided by them. This blog is for general information only and not intended to provide legal or other professional advice.