A study by ThinkCyber  revealed that over 50% of employees fear reporting cybersecurity mistakes due to potential repercussions from their organisations. Most employees feel underprepared to handle security risks, leading to significant consequences such as unreported vulnerabilities that can result in severe security breaches. 

Key factors contributing to this fear include the worry of facing disciplinary actions, job loss, or negative performance reviews. In workplaces with a blame culture, employees are less likely to come forward with errors, as harsh penalties for mistakes discourage open communication. Admitting cybersecurity errors can also be embarrassing for employees, leading to feelings of inadequacy and fear of judgment from peers and superiors.

A lack of awareness among employees about the importance of reporting cybersecurity errors and the proper channels to do so exacerbates the issue. Many employees believe that reporting an error will not lead to constructive outcomes or that their concerns will be ignored, stemming from previous experiences or a general lack of trust in the organization’s response mechanisms. This perception of futility, coupled with poor communication of security policies, further discourages reporting. 

Human errors, such as sharing user credentials, clicking on malicious links, or sharing company data with external entities, are a significant cause of data breaches. According to the 2019 Verizon Data Breach Investigations Report, human mistakes accounted for 21% of data breaches in 2018. To mitigate these risks, organizations must develop non-punitive reporting policies, foster open communication, and implement regular and effective training programs to encourage employees to report security mistakes without fear.

ThinkCyber's study comprised responses from 163 cybersecurity professionals, including senior cybersecurity managers, CISOs/CIOs, and other IT decision-makers. Some key insights from the survey are:

• 53% of employees were clicking on potentially malicious links in emails

• 53% of workers shared corporate data outside of the business

• 51% of workers also shared usernames and passwords

• 49% of companies could not identify user groups carrying out the concerning activity

• 42% of employees felt their organizations could not show that security awareness training is changing workplace security practices.

• 50% of employees felt that reporting a mistake would not be free from repercussions

• 39% of workers think that only executives and security teams are focused on security practices

• 60% of workers receive security training around once a year

Non-punitive reporting policies are key

Employees occasionally make mistakes without realizing how dangerous they can be to the organization’s cybersecurity. Human errors, such as sharing user credentials, clicking on malicious links, or sharing company data with external entities, are a significant cause of data breaches. According to the 2019 Verizon Data Breach Investigations Report, human mistakes accounted for 21% of data breaches in 2018. To mitigate these risks, organizations must develop non-punitive reporting policies, foster open communication, and implement regular and effective training programs to encourage employees to report security mistakes without fear.

The 2019 Cost of a Data Breach Report by the Ponemon Institute found that the average cost of inadvertent breaches from human error is $3.5 million. According to the Ponemon study, negligence of employees or contractors is the root cause of 24% of data breaches. 

Mostly, these human errors are made by so-called inadvertent insiders who may be compromised by phishing attacks or have their devices infected, lost, or stolen. The average cost of human error in cybersecurity is $133 per record. And it takes organizations about 242 days to identify and resolve an issue related to such inadvertent actions. 

Employees may need help understanding the importance of reporting security mistakes or the correct way to make a report. Poor reporting can lead to vulnerabilities cybercriminals can exploit. Poor reporting also results in a loss of valuable data that companies could use to mitigate future incidents, highlighting the importance of optimized training programs.

Read also: Article: IBM’s Vaidyanathan Iyer on why organizations need to Invest in a good cybersecurity culture (peoplemattersglobal.com)

Organizations must develop effective strategies to foster a safe reporting environment. This includes:

• Deliver ongoing training: According to ThinkCyber, more than annual training is needed. Employees should receive security awareness training more regularly to stay current with the latest cyber threats.

• Drip-feed content: Frequent information dissemination in small quantities helps improve engagement and bolster awareness and learning outcomes.

• Measure engagement levels and progress: Organizations must measure engagement levels, which indicate progress. Measuring behavioral impact shows the effectiveness of the training, minimizes risk, and highlights user groups that display risky behavior.

• Develop a non-punitive reporting policy: Set clear guidelines that support learning from mistakes rather than punishing them to ensure employees understand that the focus is improving security, not assigning blame.

• Aid open communication: Encourage open communication about security incidents through mediums like regular meetings. Companies can also provide anonymous reporting channels to help employees feel more secure.

• Lead by example: Urge management and senior IT staff to exhibit desired behavior. Recognize and reward employees who report incidents.

• Create feedback loops: After employees report incidents, provide feedback on how their report aids security measures. Use data from reported incidents to optimize security protocols.

• Use technology to support reporting: Implement tools for automated detection and reporting of various security incidents. Leverage AI and machine learning to analyze incidents and gain insights on preventing similar issues.

Read also: Article: How can businesses practice proper cyber hygiene? (peoplemattersglobal.com)