Glasswall recently asked a group of senior-level cybersecurity executives how they view the role of their organization’s employees in cyber defense. The large majority of these executives said that they rely heavily on employees in their defense against adversaries; but at the same time, many acknowledged that those employees remain susceptible to compromise. That seems to be borne out in the continually increasing cybersecurity budgets needed for the growing multitude of technologies that make up security stacks.
A full 40% of these leaders say they’re 100% reliant on employees as the last line of defense against a cyber-attack; and 45% say they’re “mostly” reliant on them. The remaining 15% who expressed lower levels of reliance cited two main reasons for that position – employees are too busy and react before thinking about what might be risky; and the current cleverness of cyberattacks has just made it too difficult to distinguish them from non-malicious content.
And yet, even though the large majority of these leaders do hold that reliance, over 42% believe employees are highly susceptible to phishing attacks—and that they engage in myriad risky behaviors like leaving devices unlocked when away from the desk, poor password protection habits, and using unsecured personal devices for work. Clearly there’s a disconnect in the logic.
Many respondents reported taking steps to try and overcome this challenge, such as providing employees with formal training and reading materials, and even using anti-phishing software to simulate attacks. But despite these efforts, there is still a high level of concern.
This finding presents an interesting dichotomy with findings in Glasswall’s 2017 Employee Survey, conducted among office workers to understand their cyber awareness, attitudes and practices. That study revealed that the majority of workers felt their employers weren’t giving them the right tools to help protect their organizations. It also indicated their inadequate understanding of how simple actions (like opening an unknown email attachment) could end in disaster for their employers. Perhaps things have radically improved in the last two years, but it’s more likely that security leaders still need to consider ramping up their efforts and improving communications throughout the organization.
Practically speaking, no leader can completely control employee behavior. Employees will do what they need to do to get their jobs done, especially in the modern accelerated business environment where it’s common to react exceedingly quickly. That sometimes includes people working around digital security measures that are in place, without much thought to risks. It’s better to seek unobtrusive, transparent solutions that don’t impose hurdles to productivity.