Cyberattacks have mushroomed throughout the COVID-19 pandemic, with the threat exacerbated by the pressures on companies to divert scarce resources to pivoting their operations to both remote working and online operations.
It’s perhaps no surprise, therefore, that security has somewhat fallen by the wayside, with the training of employees so that they know how to stay safe in this new environment a particular casualty. New research from Binghamton University highlights which employees are most likely to break any policies and guidance organizations provide.
The research highlights how security policies that fail to take account of the realities of our working responsibilities and priorities are much more likely to be broken. It’s a finding that the researchers believe underpins the need for the way in which security policies are created to change so that employees are much more involved in the process.
“The frequency, scope and cost of data breaches have been increasing dramatically in recent years, and the majority of these cases happen because humans are the weakest link in the security chain. Non-compliance to ISP by employees is one of the important factors,” they explain. “We wanted to understand why certain employees were more likely to comply with ISP than others in an organization.”
Cultural influences
The researchers were particularly keen to understand how the various subcultures that exist within any organization influence cybersecurity compliance within those groups.
“Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization,” they explain. “Each of these groups are trained in a different way and are responsible for different tasks.”
The researchers examined cybersecurity procedures across doctors, nurses, and support staff, with a particular focus on the security of electronic health records. For instance, were physicians locking their workstations when they weren’t physically present?
“Physicians, who are dealing with emergency situations constantly were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach,” the researchers explain. “On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur.”
Different responses
The analysis clearly showed how workers in each subculture responded differently, even to the same security guidelines. This leaves their organization vulnerable to data breaches.
It’s a situation the researchers believe can only really be overcome if cybersecurity staff are working with each subculture to co-create the guidelines with them.
“Information security professionals should have a better understanding of the day-to-day tasks of each professional group, and then find ways to seamlessly integrate ISP compliance within those job tasks,” they explain. “It is critical that we find ways to redesign ISP systems and processes in order to create less friction.”
It’s also important to note that employees in the research did fully understand the importance of cybersecurity, and the implications of any data breach to the hospital and to patients. When there was a conflict, however, between the needs of patients and compliance with an outdated security procedure, it was usually the security procedure that was sacrificed.
“There shouldn’t be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care,” the researchers conclude. “We need to find ways to accommodate the responsibilities of different employees within an organization.”