HR has a big role to play in facing the mounting cybersecurity challenges all organizations face today, because good cybersecurity practices depend so heavily on employees’ choices and behaviors, such as how they protect their passwords and respond to suspicious emails. To this point, Maarten Van Horenbeeck argues at the Harvard Business Review that employees fail to take on good cybersecurity habits because the rules their employers give them are unnecessarily complicated:
One of the big reasons security rules often don’t work is because they are so complex they drive people to take shortcuts that defeat their purpose. For example, password policies are so complicated and inconvenient that most employees just ignore them. Employees are told to change passwords frequently, but researchers have found that when people are required to come up with new passwords every three months they tend to do things like merely capitalizing the first letter or adding a number on the end to save time. This makes passwords increasingly easier to crack. Being creative gets exhausting when you have to do it repeatedly, yet most companies force this on employees for the sake of security.
Another example of a self-defeating security policy is requiring long and complex passwords. We’re constantly being told to come up with complicated passwords, ideally strings of passphrases that incorporate numerals, uppercase letters, and symbols. When faced with this task, many employees will simply ignore the policy or create a long password that can’t easily be remembered so they write it on a post it note attached to the monitor. Again, these are practices that provide a false sense of security for the organization.
Another way to think about the problem is that complex cybersecurity procedures require employees to go further out of their way to complete them, and since employees will tend to take the shortest route to getting their work done, cybersecurity requirements that distract from their regular workflow are that much more likely to be disregarded.
In our ongoing research at CEB, now Gartner, we are seeing this conflict between security and efficiency emerge as a key main challenge for organizations looking to improve their cybersecurity habits: Employees are reluctant to adopt these habits when the tradeoffs they must make are too great or they don’t know how to manage them. To, organizations should consider giving employees specific guidance or devising process-based methods to actively manage the tradeoffs they need to make in their daily workflow for the sake of information security