Cybersecurity has emerged as one of the most significant challenges of the digital workplace. Moreover, it is an issue over which organizations don’t always have full control, as it depends to such a great degree on employee behavior. New research from the University of Delaware’s John D’Arcy shows that employees’ moods can influence their cybersecurity habits, for better and for worse:
According to the survey, employees in better moods are more likely to have a positive attitude about security and are more likely to follow policy. “On the flip side, if they’re in a bad mood, what you get can change from day to day,” D’Arcy said. “That makes it more likely that they will violate policy.” …
The team also examined what might cause some of these mood changes in the workplace, and ironically, sometimes the cause of the employees’ bad moods was the security policy itself. The research team calls this a security policy “backfiring.”
“Sometimes if they’re dealing with security requirements that they think are too restrictive or are a hassle, that can have a negative impact,” D’Arcy said. “It’s like too much security puts employees in a negative mood, which then again makes them less likely to follow policy.”
This finding may seem ironic, but in fact it makes perfect sense, because there’s nothing employees find more frustrating than workplace policies that get in the way of them getting their work done.
It’s not uncommon to think of cybersecurity as primarily a technological challenge, but it’s really more of a human one, Alex Blau writes at the Harvard Business Review, in that cyberattacks so frequently take advantage of human error. Most of the large-scale cyberattacks that have made headlines in the past year at some point involved someone making a mistake or exercising bad judgment and accidentally giving cybercriminals access to sensitive data. Behavioral science, Blau observes, help explain why people (including your employees) have a hard time adopting good cybersecurity habits:
One major insight from the fields of behavioral economics and psychology is that our behavioral biases are quite predictable. For instance, security professionals have said time and again that keeping software up-to-date, and installing security patches as soon as possible, is one of the best methods of protecting information security systems from attacks. However, even though installing updates is a relative no-brainer, many users and even IT administrators procrastinate on this critical step. Why? Part of the problem is that update prompts and patches often come at the wrong time — when the person responsible for installing the update is preoccupied with some other, presently pressing issue.
Blau’s insight here underscores something we discovered in our recent study of organizational culture at CEB, now Gartner. When culture change efforts fail, it is sometimes because employees are unable to manage the tension between the desired change and their day-to-day workflow. Getting employees to adopt a new habit at work means understanding the tradeoffs they need to make in order to do so, minimizing those tradeoffs as much as possible, and giving employees guidance on how to manage them. When best practices in cybersecurity (or any other area where you’re hoping to change employees’ habits) get in the way of an employee doing their work efficiently, the employees is more likely to sidestep them.
A series of massive data breaches at major companies, including the recent theft of over 140 million Americans’ personal data from Equifax, has put questions of cybersecurity at the front of every CEO’s mind. At the Wall Street Journal last week, Vanessa Fuhrmans noted that the threat of losing their jobs or even seeing their business destroyed was pushing more chief executives to give cybersecurity their personal attention.
Their motivations are twofold: First, the frequency of data breaches is increasing at an alarming rate, and second, CEOs are increasingly getting blamed for them. After last month’s crisis, Equifax’s board moved quickly (though some argue not quickly enough) to remove Richard Smith from the CEO role he had held for 12 years. Yahoo CEO Marissa Mayer, for example, had her bonus for 2016 rescinded as punishment for a 2014 security breach that compromised hundreds of millions of user accounts and to which an internal investigation found her management team had not responded properly.
The bottom line, Fuhrmans hears from various chief executives, is that they can no longer afford to pass the cybersecurity buck to the IT department and hope to escape unscathed if their company’s data is eventually compromised. That means developing good cybersecurity habits themselves (given how much information is publicly available about them, CEOs are attractive targets for phishing scams), learning more about how their organizations’ security systems work, and taking on a more direct oversight role.
Here’s an area where CEOs could be leveraging their relationship with the HR department to be more proactive about solving the problem. Rather than investing more in firewalls to prevent external breaches, many organizations should also be looking inward, as employee errors account for nearly 60 percent of privacy failures. There’s a big role for HR in helping employees avoid the errors and bad habits that make cyber attacks more likely to succeed.
The “WannaCry” ransomware cyberattack that began spreading last Friday quickly affected over 300,000 machines in 150 countries, mostly in Europe and Asia, making it the largest such attack in history and putting in stark relief the threat cybercrime now poses to organizations around the world. WannaCry exploited a vulnerability in outdated versions of Microsoft Windows, and as Washington Post tech writer Brian Fung explained earlier this week, some businesses were hit particularly hard because of a simple lack of resources and attention. There’s no question that if the affected businesses had kept their Windows systems up to date, they would have been protected from this threat, but doing so is often a lot less straightforward than many would assume, especially if cybersecurity isn’t properly ingrained in a company’s culture, or when cybersecurity efforts or IT upgrade initiatives lack the resources they need.
While the WannaCry attack appears to have been more sophisticated than a typical phishing scam, the majority of ransomware attacks (in which the attacker encrypts certain files on a user’s computer, locks them out of vital programs, or freezes their desktop, then demands payment to undo the damage) are conducted through phishing—a confidence scam in which the user is tricked into giving personal information or loading malicious software via email.
Why HR Should Care
Ransomware is—and should be—a major concern for HR departments: HR professionals are particularly vulnerable to such attacks, as they are often accustomed to receiving and opening innocuous emails from outside the organization. Cybercriminals know this and target organizations through their HR departments with malicious software disguised as a job application, résumé, or invoice. A recent phishing attack that compromised thousands of current and former employees at the newspaper publisher Gannett, for example, exploited this vulnerability.
The other reason HR needs to pay attention to cybersecurity is that rank-and-file employees are one of an organization’s foremost lines of defense against hacking.