Opinion

Cyber problems? Your employees are likely to blame

Fostering a culture of security is imperative to ensure data security and resilience as organisations tackle employee policy fatigue
By
Jon Fielding
Employees working on cyber issues

Recent research has uncovered a concerning trend as employees fail to follow best practices and disregard cybersecurity policies. In fact, according to the findings from a survey by Apricorn, a staggering 70% of corporate breaches can be attributed to employee error or malicious intent. This represents a significant increase compared to findings from the previous year, with more than double the number of breaches caused by employees.

Furthermore, almost half of the companies that suffered breaches reported that mobile or remote workers knowingly exposed sensitive data. These findings indicate that employees may well be experiencing policy fatigue and are not adhering to best practices. 

Amidst the barrage of policies and protocols aimed at safeguarding organisations from cyber-attacks, employees are now inundated with a plethora of rules and regulations. The risk is that they may become desensitised or indifferent to the importance of these cyber security practices, undermining the efficacy of existing policies and leaving organisations vulnerable to increasingly sophisticated cyber threats. The question now is, how can organisations address this issue and ensure that everyone has a security-first mindset, regardless of their work location?

To combat policy fatigue and cultivate a culture of security, organisations must prioritise comprehensive cyber security education initiatives. Instead of merely enforcing rigid policies, companies should invest in educating employees about the evolving cyber landscape, the potential risks they face, and the role they play in defending against cyber-attacks. By fostering a deep understanding of cyber security principles, employees can make informed decisions and act as the first line of defence against potential breaches. 

Moreover, regular training sessions, workshops, and simulated cyber-attack drills can help reinforce the importance of vigilance and preparedness, ensuring that cyber security remains at the forefront of employees' minds.

In addition to education, organisations must also implement strong measures to protect data. Controls that limit employee access to systems and data are crucial. Shockingly, only 14% of organisations surveyed were using software to control access, reflecting a significant decline from the previous year. Having a robust access control system in place is essential to prevent unauthorised data exposure.

Organisations should consider implementing approval processes for employee device usage. Nearly a quarter of organisations surveyed required employees to seek prior approval to use their own devices, while 15% only allowed the use of sanctioned corporate devices. However, neither group had any means of enforcing these conditions or holding employees accountable for compliance.

The survey found a vast decline in encryption of remote devices too. Only 12% of organisations encrypt data on laptops, compared with 68% in 2022, and it’s a similar story for mobile phones, where 13% are encrypted versus 55% in 2022. There were dramatic drops in the encryption of USB sticks, now at 17% down from 54%, and portable hard drives at just 4% compared to 57% the year before. 

One solution to managing the security of data when policy fatigue sets in, is the use of encrypted USB devices to alleviate the burden of security compliance while ensuring that data remains secure. These devices offer a secure and convenient way to protect sensitive information, making it possible to enforce the encryption of data across all devices automatically as standard across the organisation, regardless of the employee's location or device. 

Organisations must take proactive measures to address this issue and create a culture of security. This includes education and training, strong access controls, and the implementation of secure solutions such as encrypted USB devices. By prioritising cybersecurity and addressing policy fatigue, organisations can significantly reduce the risk of breaches caused by employee error or malicious intent.

Written by
Jon Fielding