Bored and distracted employees are your biggest security risk
Ever had days when you feel like time is standing still, and you spend most of the day staring at the clock?
Us too. Especially in my first “proper” job working as a lowly BT data entry “administrator” in the early 1990s. (It paid just enough for the occasional curry and weekend pint).
Nowadays I’m lucky enough never to be bored at work, as a) I’m working in a field that I love, and b) I literally don’t have time.
However, if you ARE facing a day of slogging through a morass of administration, it’s tempting to jump onto the internet for some entertainment, or to scroll through your emails and click on an inviting link just to alleviate the workplace monotony.
Although some reassuring studies have shown that the occasional web surfing break actually increases productivity, a poll by Centrify has found that employees who become bored and distracted at work are more likely to be the cause of human error and a potential security risk.
In the report 35% of survey respondents cited distraction and boredom as the main cause of human error. Other causes included heavy workloads (19%) excessive policies and compliance regulations (5%), social media (5%) and password sharing (4%).
It seems obvious: tired and frustrated employees will spend as much time as possible visiting their favourite online sites, updating social media and happily clicking on spammy links – possibly negatively impacting your company cyber security.
I’d wager that bored staff are usually in lower entry level roles, without much responsibility or variety in their work. And these junior roles can miss out on vital training as well as being pushed through dreary cyber security courses that bore them to death and make no real impact in their day to day working procedures.
Human error is still one of the biggest threats to cyber security. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders. Whilst the majority of these attacks involved malicious intent, a good proportion (25%) were caused by simple human mistakes.
After the recent WannaCry attack that hit the NHS, a GP partner, head of a busy practice in Yorkshire told us about his organisation and his worry about some staff members who have access to sensitive practice information. “Many of them”, he said, “especially older employees, have no real concept of how malware or data breaches occur, and STILL don’t understand how to recognise a suspicious phishing attempt”.
There are so many ways that sensitive company information can be compromised by individual error. These ways include:
- poor patch management,
- system misconfiguration,
- leaving pcs and laptops unlocked and unattended,
- weak passwords,
- lost devices,
- clicking on unsafe URLs or attachments,
- linking to unsecured internet connections outside the workplace.
And if your staff don’t understand the basic concepts of computing and cyber security, how can you hope to protect your valuable data? Plus if your staff are distracted and bored, how do you prevent them from carrying out actions that might negatively impact on your data security?
Six Strategies to Minimise Human Error in your organisation
We have listed six main ways for your organisation to minimise human error in relation to cyber security. It’s impossible to guard against every single mistake, but the strategies below will you’re your employees become more aware, more responsible, as well as promoting a cyber secure culture to prevent simple mistakes turning into security incidents.
- Cyber Security Training: Developing a thought provoking and interesting cyber security training programmes for ALL existing members of staff and new employees, tailored for their industry and using practical real-life examples. A rolling programme of continuously updated training will ensure your staff know how to flag up possible attack attempts.
- Simulated phishing programs: A phishing simulation will help you to test your organisation’s resilience against ransomware and phishing attacks and measure your users’ responsiveness, e.g. do they click on untrusted links in emails? Do they open suspicious emails or enter their usernames and passwords into a fake site? A simulated phishing program can help you measure the existing baseline susceptibility of your employees, identify those users that need additional training, and measure your organisation’s progress toward reducing user click rates.
- Use of Automated Safeguards: Use automated prevention strategies that make it very hard for system users to make a mistake, e.g. you could implement cryptography, password management, identity and access management, network access rules and automatic standby locks.
- Strategic Prevention: Use strategic prevention approaches to support someone in the correct way to carry out their tasks, such as checklists, awareness campaigns, procedures, disciplinary measures, litigation threats, training and retraining.
- Mitigation Strategy: Use a mitigation strategy to minimise the consequences of errors by making sure detection mechanisms are in place to correct situations before they become a much bigger incident. Examples include audits, internal control, breach detection solutions, system monitoring and surveillance.
- Improved management and cyber security leadership: Good management and leadership are essential to change your organisation’s culture on cyber security issues. An engaged Board and security “champions” (security officers, auditors, data protection officers, compliance officers, crisis managers, etc.) will enable a company to understand and make the necessary technological and training investment to move towards a secure and resilient organisation.
It’s impossible to prevent every employee becoming bored at work… However, a management team that champions cyber security best practice, an inclusive training programme and practical prevention tools will increase your organisation’s protection against simple employee error.