One of the absolute worst things you can do for your company’s data security is punish employees for falling victim to a cyber attack. Let us repeat that: do not punish your employees for falling victim to a data breach.
Companies tend to punish employees for falling victim to try to make them take data security seriously and attempt to prevent them from making the same mistake again. In some cases, that may work. In reality, though, you are creating a culture of fear around data security.
Don’t get us wrong: the cybercrime landscape IS scary. One wrong move can cost your company a lot of time and money (and probably some customers).
But, by punishing your employees, you aren’t necessarily going to scare them into being vigilant about data security – you’re going to scare them into silence. You are going to teach them to fear punishment and ridicule if they fall victim to a cyber attack, making them less likely to speak up if they experience a data breach. And THAT could cost you big time.
This is already happening in many organizations. A recent survey found that 59% of the employees hit by ransomware paid the ransom our their own pocket, with shame and embarrassment cited as the main reason why. The respondents were trying to handle the situation on their own before anyone else found out.
The last thing you want when a data breach happens if for an employee to try to handle it on their own. There are a few reasons for this:
You need to foster a culture of openness when it comes to data security. Employees should feel safe to speak up when they see something fishy. You should reward and praise employees for asking the question when they see cybersecurity red flags. You need to make it clear that employees will not be punished for coming forward if they have fallen victim to an attack. Think carrot, not stick.
They also need to be able to spot the red flags, which is where cyber security training comes in. Unfortunately, remedial cybersecurity training is going to be seen by many employees as punishment. But that doesn’t mean you should provide security training. It should be part of your new employee onboarding and regular training, though – not only used when someone makes a mistake.
Some companies are starting to combine cybersecurity training with rewards. Facebook has a month-long campaign where employees who successfully fend off cybersecurity attack simulations get prizes.
Training isn’t always enough, though. Cyber attacks are becoming more and more sophisticated. Phishing attacks - especially spear phishing attacks - are getting harder to spot. Some attacks, like the major Wannacry attack in the spring of 2017, exploit unpatched vulnerabilities in software, rather than going through people. And the “it’ll never happen to me” mentality is still widely prevalent among professionals (spoiler alert: yes it will).
Use technology to your advantage to help mitigate the risk of an attack. Multi-factor authentication can help prevent a breach when someone’s password has been stolen (or if someone attempts a brute-force attack). Services like Advanced Threat Protection for Office 365 can flag and quarantine suspicious emails before they ever reach your employees’ inbox.
You can also put steps in place to detect and limit an attack that’s in progress. You can use a service that flags suspicious behavior like too many log-in attempts or log-in attempts from an unknown location. Limiting what your employees have access to can also help if a cybercriminal is able to get into your system. Employees should have access to everything they need to do their jobs, but no more than that.
It’s up to you as the leader of your business to set the tone for cybersecurity in your culture. If you don’t take it seriously, or treat people like they’re stupid for falling victim, your employees will follow. Start now to foster a culture of cyber awareness and openness. It’ll keep you much safer in the long run.