Why do we often blame cyber missteps on the corporate victim?
Media mention
Forbes: Why companies should stop the cybersecurity blame game
Consider these two scenarios:
The norm is likely to feel empathy for the person who has been scammed but to chastise the employee who continues to click on bad links. These examples, though, effectively demonstrate the same fundamental behavior: Both humans were digitally coerced by a third party to perform some sort of action.
So, why do we often blame cyber missteps on the corporate victim?
Throughout cyberspace, we’ve created digital problems and expect humans to act accordingly. Every technology asset implemented in an organization carries some risk. Instead of putting the onus of risk mitigation on end users, we need to provide appropriate technology controls for each technology asset. That is, business leaders must provide digital security controls to address digital problems and, if these fail, need to take the end-user blame out of the picture.
Scapegoating users for cyber accidents without providing appropriate security controls does not ultimately result in cyber risk reduction. In other words, failure-based punishment does not encourage improvement in end-user behaviors.
Instead of putting employees in the penalty box for failing phish tests, we should stop the blame game by developing a culture that empowers a cyber-vigilant workforce. This in turn will result in better cyber risk reduction outcomes.
To err is to be human. Knowing that, it’s important to foster a culture that encourages employees to understand and follow company protocol for any cyber missteps. After clicking on a malicious link or downloading a suspicious file, an individual can either choose to ignore the mistake or self-report it.
A blame-first cybersecurity culture discourages employees from reporting the error, increasing the potential risk posed by these threats. Welcoming and encouraging self-reporting, however, can foster a transparent cybersecurity culture that improves vigilance and end-user buy-in, thereby reducing the cyberattack surface.
The Department of Homeland Security’s 2010 campaign, “If you see something, say something,” has profound empowerment in its simplicity. But with globally distributed workforces, to whom and how can they “say something?” A critical component of improving cyber culture is to make self-reporting clearly defined, easy and accessible.
A busy employee likely doesn’t have the time nor desire to complete a lengthy IT ticket, especially if there is fear of retribution. Organizations need to make it simple—and remove stigma or punishment—to self-report suspicious or anomalous cyber behavior.
Cybersecurity awareness training doesn’t just protect the organization, it also empowers employees to stay cyber aware in their personal lives.
If "data is the new oil,” it should be no surprise that cyber criminals also hunt for sensitive personal data in addition to company data. Relevant and timely cyber training helps employees protect themselves from cyber threats at work and at home.
The annual check-the-box cybersecurity training doesn’t work because it isn’t engaging or relevant. For training to be impactful, it should be regular, timely and include real-world examples. By designing training that aligns with adult education principles, employees can truly understand the threats, risks and their role in cyberspace. This creates a more conducive atmosphere for instilling improvements in end-user behavior.
Stopping the cyber blame game as part of their overall cyber risk reduction strategy is in organizations’ best interest. Continuing to punish the reckless corporate “bad link clicker” isn’t going to move the needle against increasingly sophisticated cyber adversaries. But, by creating a cyber-safe culture at work and providing valuable cyber training, employees can not only better protect their organizations, but also themselves and their families.
This article first appeared in Forbes.
Lefebvre, Mike. “Why Companies Should Stop The Cybersecurity Blame Game.” Forbes. forbes.com, March 31, 2023. https://www.forbes.com/sites/forbestechcouncil/2023/03/31/why-companies-should-stop-the-cybersecurity-blame-game/?sh=181ac2a878d3.