Cyber security doesn’t only get breached because clever hackers manage to break through your cyber defences. Ask most IT professionals and they will say that the people they fear most are their colleagues.
Why is that? Why does business culture so often mean that the employees of an organisation are such a major cause of cyber damage?
Of course it depends on the organisation, but here are ten common reasons (plus a bonus reason) why employees can cause trouble.
1. It doesn’t matter
Everyone knows that what you say on the internet, especially on social media, doesn’t matter. It’s unofficial, it doesn’t count legally, and it’s not important. Hmm, ask Sally Bercow and countless like her who have found out otherwise. Anything you write on social media (or in an email, or in an online or mobile message), cannot be unwritten, can be archived and may have an impact on any legal, compliance, contractual or HR wrangles you become involved in.
2. It’s too difficult
We have all experienced directive from IT like this: “Passwords must be changed every month, must contain numbers, capital and lowercase letters, and symbols, can’t be the same as a previous password, and must be at least 12 characters”. If things are too difficult people will simply ignore them, or find ways of working round them. Force people to use an impossible password protocol and expect to see their passwords on Post-it notes stuck on their screens – hardly secure. (Or ask me how to help them remember “random” passwords that comply with these rules.)
3. It’s inconvenient
This one is similar to the “too difficult” reason. Make people’s life hard – for instance by forcing them to log on too many times or go through over-complex routines to get data, and you can be sure that they will invent clever ways of getting round the obstacles you have imposed. And if they can’t get round them, well you are simply making them spend a lot of time on unconstructive tasks.
4. It’s a waste of time
If people don’t understand why you have out certain security procedures in place then they will simply ignore them. Few people (in British culture anyway) follow the rules just because they are there. (After all “rules are for the obedience of fools and the guidance of wise men.”) People want to know why they have to do something. And if they think they are being forced to do something unnecessary, a lot of people will simply ignore the requirement: after all their time is too valuable to spend on pointless activities.
5. I thought it was the right thing to do
If you don’t train people in best practise they won’t know what is appropriate. Give your social media marketing to an intern (because they use Facebook and you don’t) and they will do things to your brand you may not be too happy with. Let inexperienced people “chat” with customers by email in order to develop better relations and they may accidentally agree to contract variations that take all the profit out of hard-won deals. Fail to protect crucial documents from unauthorised “helpful” editing and you may have a problem on your hands. Honest people doing the wrong thing is a cause of real concern.
6. I didn’t realise it was a problem
If people simply don’t know something is dangerous then they may well do it. What harm could there possibly be in sharing that social media password with your colleague? Why should it matter if I download a list of our customers to my smartphone – it will be handy when I am on the road? What is wrong with discussing our plans for expansion into China/our new IT security software/our search for a replacement marketing director (delete as appropriate) on LinkedIn? Education is a key part of cyber security.
7. It’s a laugh
The Labour Party’s Twitter-based policy promising everyone free owls was amusing of course. But not everything that is meant as a laugh is amusing. Online jokes can be misinterpreted and end up as discrimination cases or damage corporate and brand reputations. Social media jokes, especially those made in bars at 2 a.m., are rarely as funny as you think they are at the time and may result in you being fired. Don’t do it. Tell your colleagues not to do it.
8. Just in case you sack me
This is a difficult one. Especially if you are intending to sack them. Employees who feel threatened will often take data out of the office via email, cloud services, memory sticks or smartphones. Some organisations lock down their information – no mobile devices, no data downloads. Most can’t (or won’t) do that though: it demotivates people and reduces efficiency. So unless you are in an organisation that is very risk averse, the best way forward is to protect the most important information (blueprints, strategic plans, customer lists) by passwords and restricting access, and trust people to deal fairly with the rest (they won’t, but the reality is that most of the information they can access will be of little real value to your competitors).
9. It’s none of your business
“So you want to have access to the data on my smartphone in return for letting me use it for work? Why should I let you do that?” Because if you don’t then I will be unimpressed with your loyalty and your business acumen; and that will have an effect on your career prospects. And just as I retain the right to read the emails you send out on the company system, and review the websites you visit, so I need to be able to demand access to (and potentially destroy) the data on your personal mobile devices if you are using them for work. I’ll only do that if there is a problem, and if I need to. But it’s the company’s data after all.
10. I hate you all
Disaffected employees (political activists as well as people with grievances) may well be tempted to cause cyber security breaches, perhaps by destroying information or by making it easy for others to steal information. The way organisations respond to this threat will depend on their appetite for risk. Making systems too secure will reduce efficiency: that may be a price worth paying if you are running a nuclear power station but most organisations will want to reduce the risk from disaffected employees while maintaining flexibility. Scenario planning is one way of managing this: Imagine that a senior IT executive decides to steal the client list. How can you prevent them? Disaffected employees are a major threat and unless you use your imagination to identify how this threat might appear, you will be unable to manage it.
Bonus reason: I’m the boss, don’t tell me what to do
It’s not the boss’s fault if you are too frightened to tell them (tactfully of course) why a certain way of behaving could cause problems. And if you feel you can’t tell a senior executive that their behaviour is putting the organisation in danger then try to find someone who can. Security is the responsibility of everyone in an organisation: cleaners, interns and receptionists as well as Directors. So if you are the boss and run an organisation where people are too scared to tell you there is a problem, well you deserve that cyber breach.