Let Us Close the Awareness-Action Gap in Cyber Security Together

Persuading non-IT personnel to respect information security policies and report on incidents has always been a challenge. Unfortunately, new research shows that there is still no cooperation between regular workers and IT departments in the UK. Overall 60% of respondents consider their colleagues from IT as a nuisance; 46% are so hostile toward their IT departments that they would blame them for a security incident even if was the fault of an employee from another department.

Indeed, according to our own recent research, which was based on IT professionals’ feedback from 1,558 organizations worldwide, insiders cause more than 50% data breaches. Insiders threaten information security much more often than hackers do. The truth is that people make mistakes by copying the wrong people into emails or by giving away credentials after being tricked by phishing emails. What is worse, they may never report on such incidents. Companies often learn about breaches from third parties, when it has already resulted in significant losses, and IT departments need to work hard to remediate each incident.

Who Is Truly Responsible?

In my view, one of the reasons that people do not feel confident in contributing to companies’ information security, is because legally the organization takes all responsibility for the consequences of the data breach. Practically, IT departments handle the fallout. Regular workers believe that they are paid for doing their job rather than for following information security policies, which requires additional time and effort.

In fact, the consequences of violating security policies can be harmful not only for an organization, but also for an individual. Last year an employee from a charitable organization Rochdale Connections Trust sent spreadsheets containing the information of vulnerable clients to his personal email address, and was prosecuted under the UK Data Protection regulation. He was given a conditional discharge for two years and had to pay a fine of £1,845.25, as well as a victim surcharge. A similar incident  occurred at Southwark Council this year.

Even though there are isolated incidents where individuals are held liable for violating security policies, there are already plenty of cases where guilty parties were fired. There is no doubt that every employer wants an employee who protects corporate interests and who will act if he or she notices when something goes wrong and reports it. Therefore, it makes sense to recognize information security as shared responsibility with the IT department instead of leaving workers to take care of it themselves.

How Can You Contribute to a Safer Workplace?

As a part of an onboarding process, employees must have signed information security policies that are supposed to answer this question. However, employees commonly feel that it does not have any practical implementation. Indeed, security controls and guidelines might be either unrealistic to follow, or too formal and complicated. And just 12% of employees are fully aware that security policies even exist, according to a study.

When information security policies are hard to follow in real life, the “awareness-action” gap becomes even worse, and impacts user well-being in two ways. Firstly, some organizations make business users follow so many security controls that people look for ways to circumvent the restrictions. If that is the reason why staff are frustrated with  IT departments, they must not keep silent. Security is one of the strategic goals for business nowadays, but it should also align with business objectives. Workers are well advised to discuss problems or concerns with managers and cooperate with IT departments to achieve a balance between achieving compliance and adequate business workflow.

Secondly, the majority of organizations do not articulate actions that employees should undertake if they accidentally commit a security incident. In case an individual has made a mistake that might result in disclosure of sensitive information, reporting the incident to both the head of department and to the designated information security officer is a first necessary step. In my experience, when line managers receive a report about a breach, they often silently agree with their subordinate that it was a matter of “human error”, and avoid troubling the security officer with this incident. Unfortunately, even a small leak might result in a catastrophe if not discovered operatively. Therefore, it makes sense to provide a security officer with all information about an incident, which includes what exactly happened, what information was compromised, and what kind of personal data was affected, if any.

Rapid incident detection is a global challenge for the information security community. A study by Ponemone Institute revealed that mean time to identify a breach is 197 days – imagine how much damage could have been prevented if regular users notified their IT peers about incidents in time.

Effective cyber security is an ecosystem – it requires a collective effort. Let us cooperate for safer cyber workplaces. If something goes wrong, it must be acted upon without delay.