What consequences do data leaks have for employees? To answer this question, we start by exploring the causes of most such incidents, which, in my experience, are frequently rooted in sloppiness, employee irresponsibility, or ineffective management. In other words, no matter how you look at it, the human factor lies at the heart of the problem.
When employees fail to take responsibility
Try asking employees about what changes to their workflow would help them improve their productivity and level of job satisfaction. People generally want to work in whichever way suits them, without interference. For example, they administrator rights on their computer, to have the right to install any software, to grant access to their team’s data and systems at their own discretion. They want to invite guests to the office. That sort of thing.
At the same time, almost no one is really prepared to bear the responsibility for what they want or find convenient. Many employees (and sometimes their managers) are complacent and believe they’re somehow protected, that no matter what they do, some wizards are standing by to save the day. Of course, we corporate cybersecurity experts always do our best to protect users, but we are not omnipotent.
Bad management decisions
The second cause of most serious incidents is, broadly speaking, ineffective business process management, which also encompasses the actions or inaction of information security and IT personnel. A company that is serious about cybersecurity doesn’t suffer major damage because one employee inserts a USB flash drive with an infected file or opens an e-mail with a malicious attachment or bad URL. In every case, a chain of errors has to occur in the right combination:
- The business process was organized in such a way as to allow this type of error;
- Someone made a mistake or violated information security policies;
- Information systems or infrastructure services contained undetected or unpatched vulnerabilities;
- Systems were too complex, causing a lack of the resources necessary to ensure secure configuration, timely patch management, and the implementation of security measures.
- The security department was unable (because of a lack of skills or opportunity) to identify the incident before it caused damage.
Each of those factors is a consequence of a decision. However, the overall cause of the incident is a combination of the factors. How the incident affects employee motivation depends largely on management’s response — and sometimes the measures a company adopts to prevent the recurrence of such incidents can do much more damage than the incident itself.
Here is a real-world example. A bank repeatedly experienced incidents resulting from both external attacks and employee errors. As a result, the bank’s systems went down for some time. Management, trying to motivate responsible staff as well as punish those at fault, went through several rounds of firing its IT and infosec staff. At the same time, despite knowing the automated banking system had architectural vulnerabilities, management allocated no budget to create a new system or to fix the old one. Experienced employees realized that anyone could make a mistake one day, and the company opted to hire new people rather than to fix the underlying problem, so they soon found jobs elsewhere. New employees had a poor understanding of the company’s system, which had been developed in house, and as a result they made even more errors and spent more time maintaining the systems because they lacked essential knowledge. Consequently, customers left the bank, and it slipped from its position in the top 50 to below 200th place.
What to do
In my opinion, it’s important not to demotivate your employees. Instead, help them understand their responsibilities, the company’s values, and the importance of their coworkers’ contributions. You can demonstrate all of those things through material support, mutual respect, and clear rules.
Corporate infosec rules need to explain simply and specifically what is and is not permissible, and what staff needs to do in case of a cyberincident – including in terms of privacy and confidentiality. The team leader must clearly communicate information to subordinates, and during and after a cyberincident explain the problem and its consequences (which may include penalties). Doing so helps maintain a healthy team atmosphere, and it can help the company avoid repeating the same mistakes.
You can use this infosec road map to focus on team motivation and cyberincident impact reduction:
- Conduct staff training not only to avoid mistakes, but also to teach people what a mistake can be;
- Motivate employees;
- Craft clear information security rules at the company — and measures to monitor them in action;
- Use incident detection and response tools;
- Implement systems for protecting against errors, foolish or sloppy behavior, and the malicious actions of insiders
- Periodically review the above measures to reduce the likelihood that someone will make the same mistake twice.
For more insights about the human side of cybersecurity incidents, check out our latest report, “Taking care of corporate security and employee privacy.”