Whilst the common perception is that the biggest threat to security at a company is from external actors hacking into your system, the reality is that insiders often pose a much bigger threat. Recent research from the Universities of Glasgow and Coventry highlighted the employees most likely to pose such a threat.
Many of the behaviors in the four employee types identified by the authors can be worsened by organizational change, with negative behaviors ranging from time-wasting to leaking confidential information to competitors the result.
Risky employees
The four types of employee identified by the research were:
- Omitters – The first type are omitters, who generally behave in a risky manner due to difficulties in self-regulating their behavior. Their breaches are usually unintentional and can be mitigated via help from others.
- Slippers – The second type are slippers, and they usually have very good behavior but can occasionally slip and commit one-off acts of insecure behavior, whether it’s taking secure documents home with them or being rude to others.
- Retaliators – The third type sees a shift towards more mendacious behavior and sees employees act in response to a perceived slight by their employer. They respond by committing a small security breach that can nonetheless harm the company. If these employees aren’t challenged, it can easily snowball into more serious offences commited by the final group.
- Serial transgressors – The final group commit a range of counter-productive behaviors that constantly undermines the organization, thus not only resulting in counter-productive behavior themselves, but also in their colleagues.
Promoting security
These risks can be mitigated by undertaking a range of organizational strategies to reduce the likelihood of employees going rogue. These include making the workplace more predictable, improving communication and being consistent in your leadership. The overall aim is to increase the psychological attachment the employee has with their organization.
“There are many examples of high-profile companies which have made the headlines following employee sabotage. It is vitally important to understand how these situations come about: the types of employee who might resort to these behaviours; why it happens and how managers’ actions can prevent this happening,” the authors say.
Interestingly, the kind of environment that promotes such unsafe behavior often emerged as a result of strategies designed to promote security. For instance, if management operated on a ‘need to know’ basis, this would often be perceived as heavy-handed by employees, and created a breakdown in trust and connectivity between employee and employer.
Clearer communication
A recent study by Washington State University, published in the Journal of Management Information Systems, highlighted the importance of communication in promoting safer data security behaviors among employees.
The study found that IT managers would have more success in promoting secure behaviors if they avoided cold and authorative commands. A more effective strategy would be to utilize communication that was relatable and provided a range of options to help employees do the right thing. It taps into a similar desire to promote a sufficient connection between employee and employer to encourage them to care enough to do the right thing.
“If you want people inside an organization to truly change their security behaviors, you have to give them a reason to care,” the authors say. “You have to get them motivated in order to be effective at changing behaviors.”
Recent data from IBM and the Ponemon Institute found that the average cost of a data breach in 2017 was over $3.5 million, and with 85% of these breaches coming from internal sources, it’s a process few organizations can afford to overlook.
