The catastrophic consequences of cybersecurity breaches are no secret. In the past two years, cybercriminals nearly derailed Verizon’s multibillion dollar acquisition of Yahoo!, meddled in the US election, and leveraged a leaked NSA tool to infect more than 200,000 computers across 150 countries in the infamous WannaCry ransomware attack.
And yet, much to the frustration of IT professionals everywhere, many employees still fail to follow their organization’s office security policy. Why are people ignoring your policy and jeopardizing the safety of your company’s data? Here are a few common reasons—and how you can change their behavior.
They don’t understand the severity of the risks
Given nearly every major news organization covers the latest global hacks and ransomware attacks, you might assume employees recognize what’s at stake and take the necessary precautions to protect company data. Unfortunately, people don’t always understand how quickly one simple mistake, like clicking a link in an email from a recipient they don’t know or sharing the Wi-Fi password with unauthorized personnel, can endanger the entire organization. Some employees may also assume that because they don’t work for the government or a massive global organization, cybercriminals aren’t interested in accessing their company’s data.
As an IT leader, it’s up to you to dispel these myths and help them understand that cybercrime happens to organizations of every size, and even seemingly small errors can have catastrophic consequences. Get detailed, and explain precisely how hackers get in and what they can do once they’ve accessed your systems.
They think they “get it” already
Overconfidence is rarely beneficial, but when it comes to your employees’ understanding of cybersecurity, it’s downright dangerous. Negligent employees are the number-one cause of cybersecurity breaches for small to midsize businesses across the United States and United Kingdom.
While some of these cases can be attributed to employees acting maliciously, many cyber attacks happen because people don’t realize their actions put the organization at risk. For example, an employee may be well-versed in the dangers of sharing their passwords and downloading software without asking IT permission. However, they may still fall for social engineering tactics and unknowingly put the entire company at risk by engaging with spearphishing emails.
Sometimes, sending routine warning messages isn’t enough, especially when people assume they already know the best cybersecurity practices. In this case, you may want to try something different. For example, consider sending a mock phishing email and tracking who clicks. People who engage with these mock emails may need a cybersecurity awareness refresher.
Your office security policy reduces their productivity
Occasionally, an employee’s need to get something done supersedes their commitment to the organization’s office security policy—especially if sticking to the rules slows them down. The stricter the mechanisms you put in place, the harder employees will attempt to find a workaround. Instead of tempting people to go behind your back and take liberties that could create risks and expose sensitive data, it’s better to strike a balance between security and productivity. One of the best ways to accomplish this is to invest in equipment that increases security without compromising performance.
For example, printers often go overlooked as a cybersecurity vulnerability and get left unprotected, which makes them an inviting entry point for hackers. When upgrading, it’s crucial you choose a printer with advanced security measures, like the ability to trigger automatic reboots and notify IT if anything suspicious is detected. By selecting a device with built-in security, you can take some of the burden of cybersecurity off your employees.
Cybersecurity awareness is critical to bolstering your protection and ensuring employees don’t open your business up to unnecessary risks. However, even the most comprehensive office security policy won’t do much good if employees aren’t committed. By making sure employees understand the risks and are clear on best practices—and by investing in products that protect your company without threatening productivity and convenience—you can ensure everyone at your organization heeds your policies and does their part to protect your valuable data.