By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author
It’s no secret that employees violate security policies. Whether we’d like to admit it or not, there’s a good chance we have all violated a security policy once upon a time. Sometimes, employees violate policies to save time or make their job easier, and sometimes, they don’t even know they’re doing it. How do you ensure your employees are following your security policies? First, you must figure out why they’re breaking the rules, to begin with. Below we highlight findings made by Dark Reading as to why employees violate security policies.
Reason #1: “I didn’t know”
It’s an age-old excuse, but many times policies are violated due to ignorance. We often expect employees to know they’re “supposed to” exercise certain security measures, but the truth is, many of them don’t know what those measures are.
According to a study from February 2018, 52% of companies do have a cybersecurity policy in place, but what good is a policy if employees don’t know it exists? That same survey found that nearly half of entry-level employees don’t know if their company has a cybersecurity policy or not.
Reason #2: “It’s easier this way”
Despite nearly half of employees knowing a cybersecurity policy exists within their organization, many of them choose to act as if they don’t. We all know that the easy way isn’t always the safe way, but sometimes, employees choose convenience over following the rules to avoid a disruption in their work-flow.
Maybe a co-worker or third-party vendor needs access to a system they don’t have credentials for. Sure, the right thing to do would be see that they get their own credentials to access the system, but it’s much easier to just give them yours. What’s the harm if you change your password after? Of course, this is poor cybersecurity. Maybe you reused that password on various other systems, now you have given out the key to all your doors and violated your organization’s security policy (if it exists).
Reason #3: “I’m frustrated”
Sometimes even the best employees break the rules. Perhaps an employee has been trying to remote into the company’s server from home but is having trouble. If that employee needs to get their work done to meet a deadline, they may decide to do so locally on their computer, or if they’re having trouble with their internet connection, may go to a public location, such as a coffee shop, to use their free Wi-Fi for a better signal. There’s a good chance that employee knows this is against their company policy, but under stress, the employee decides to take their chances and roll the dice.
Reason #4: “I’m curious”
Your cybersecurity policy should outline that employees only access information required to perform their job function, but many times, that is not enough to stop an employee from snooping. We’re humans, we’re curious! Employees might be wondering which celebrity client may be requesting an appointment, or how much money their co-workers make. Although this is a violation of policy since the information isn’t required to perform necessary work-functions, curiosity often gets the best of an employee, causing them to break the rules.
Reason #5: “I was just trying to help”
In some instances, employees know the rules that are in place, but when asked to do something outside of the rules, they feel compelled to listen. For example, Business Email Compromise (BEC) Scams are huge in the cybercrime industry. If an employee gets an email from their boss requesting a wire-transfer for funds to deposit into the company holiday party fund, there is a good chance that employee will quickly complete the transfer of funds, despite the odd request falling outside of policy.
What can you do?
Knowing why employees violate security policies is extremely important and useful in helping your organization address those issues.
- Make sure employees are aware of your organization’s security policies. If you are not properly communicating the rules and expectations for your employees, you cannot expect them to follow them.
- Employees who violate policies due to the convenience in doing so may always look for an easier way to accomplish a task or avoid disrupting their work-flow. Ensuring that accounts, access provisioning, and approvals are a seamless process will help employees not feel the need to side-step the rules in order to accomplish their job-function.
- Your organization must also be ready to hold policy-violators accountable for breaking the rules. Often, employees who break the rules, maybe out of frustration, know there is a workaround that is in violation of their organization’s security policy. Unfortunately, those individuals often recognize that their employer won’t reprimand them for their misconduct, so they move forward, feeling comfortable enough to break the policy. Make sure your employees know that will be repercussions for policy violations.
- To help control policy-violators who are curious about information they shouldn’t be accessing, ensure your organization has proper access-controls in place. In addition, monitoring your employees’ cyber-behavior will not only help you identify inappropriate access (both internally and externally) but will also make your employees aware that you are enforcing the rules.
- Cybercriminals are becoming more sophisticated in their attacks and will continue to find new ways to trick employees into falling for their scams. Employees who violate policies while trying to be helpful in scenarios such as a BEC Scam may act on a request quickly, before thoroughly thinking it through. Ensure that your employees have gone through security awareness training and receive continuous education on new threats and best practices. Spear-phishing, as seen in a BEC Scam can be very convincing attempts by cybercriminals. While email filters may aid in sorting out malicious attempts, employees MUST know how to spot these attempts on their own to protect your organization.
This article was originally published on HIPAA Secure Now! and is republished here with permission.