Cybersecurity And The Workplace: Part 1
Employee Burnout: An Overlooked Cybersecurity Threat?
From hybrid and remote work to the Great Resignation to a greater emphasis on DEI initiatives, the modern workplace is currently undergoing systemic changes. Discussions on these dynamic shifts in the workplace are often viewed from an economic or HR perspective while less attention has been devoted to the cybersecurity impact of these workplace trends. This series aims to breakdown the cybersecurity implications of current trends in the workplace beginning with this first piece on the cybersecurity threat posed by employee burnout.
Time: A Roadblock to Improved Cyber Hygiene?
The majority of cybersecurity breaches are a result of human error. According to the Verizon 2021 Data Breach Investigations Report, 85% of cyber breaches involved the “human element.” While cybersecurity training is extremely important in mitigating this risk, it is only effective when it leads to changed and improved cyber hygiene behaviors across an organization. However, time and employee burnout prove to be key (and often overlooked) barriers to facilitating this shift in cyber behaviors.
Employee burnout presents a "severe, pervasive and multifaceted security risk" to organizations. - The Burnout Breach, 1Password
While human resource departments have long been aware of the impact employee burnout has on an organization’s productivity, engagement, and turnover rates, less attention has been devoted to the nexus between employee burnout and an organization’s cybersecurity posture. Yet, a recent report by 1Password found that employee burnout presents a “severe, pervasive and multifaceted security risk” to organizations. Strikingly the survey data showed that burned-out employees compared to non-burned out employees were three times as likely to consider security rules and policies to not be “worth the hassle” (20% vs 7%).
Burned out employees compared to non-burned out employees were 3x as likely to consider secruity rules and policies to not be "worth the hassle" - The Burnout Breach, 1Password
What can explain this relationship between employee burnout and cyber risk? For starters, employees who are feeling overextended and burned out are less likely to have the time or energy to devote to cyber awareness trainings and following cybersecurity protocols. Instead, if employees are balancing multiple projects and workloads, they are more likely to cut corners to get their immediate work done. This may result in a variety of outcomes, from failing to actively engage or complete cyber trainings to circumventing cybersecurity protocols in exchange for ease and convenience of getting tasks completed quicker. Likewise, time scarce and burned-out employees are less likely to pay attention to details and are more likely to make errors due to feeling rushed or worn out. Finally, employees who feel fatigued and overworked are more likely to feel apathetic about the importance of cybersecurity and their role in protecting the organization, especially if they are considering leaving the organization for a new position.
Addressing the Cybersecurity Challenge Posed by Employee Burnout
If the Great Resignation was not already a key indicator firms must better prioritize job design and equitable workloads, the 1Password Report showcases cybersecurity is yet another crucial reason why firms should place a greater emphasis on employees’ work balances and overall well-being. To do so requires a collaborative effort that extends beyond the walls of the HR and IT departments and across the organization. Below outlines a few considerations for how firms can begin to approach the cybersecurity challenges presented by employee burnout to ultimately help facilitate a shift in improved cyber hygiene across the organization.
Management embraces and prioritizes cybersecurity across the organization
Changing employee cyber hygiene behaviors begins with management across the entire organization embracing and prioritizing cybersecurity. Setting the tone from the top down that cybersecurity is a key priority of the organization helps to generate buy-in from employees. Managers across departments should be tasked with the responsibility of communicating to their direct reports the firm’s cybersecurity priorities to guarantee everyone is on the same page at the organization. The “why” of this equation is extremely important when conveying this message. In order for employees to embrace cyber initiatives, they must understand why it is important to their industry, organization, and their specific positions.
Designate time for cybersecurity training and awareness
Not only must firms create a narrative that prioritizes cybersecurity, but they also must foster a space that allows for employees to learn and act on said priorities. One possible strategy firms could consider implementing is a “Drop Everything and Learn (DEAL)” policy, where employees’ calendars are blocked off for a designated period of time each month or quarter that is entirely devoted to cyber training and awareness. The goal here is to treat cybersecurity initiatives as an equal priority to other work responsibilities such as client meetings, writing a report, or preparing a presentation for investors.
However, a DEAL policy is not as simple as blocking off an hour on employees’ Outlook calendars. Instead, managers must ensure employees have the flexibility in their schedules to participate in DEAL and subsequently hold them accountable. Pairing phishing testing with cybersecurity training is one way to hold employees accountable.
Adopt secure and user-friendly software and security policies
Firms should adopt user-friendly cybersecurity policies and software to reduce the burden on end-users as well as the impact they have on employee workflows. If complying with a cybersecurity policy is perceived to be a heavy lift from an employee perspective, the likelihood employees will try to cut corners or disregard the policy entirely will be higher than if the policy was user-friendly. Installing security filters which intercept phishing emails before they reach an employee’s inbox is one such example that helps to alleviate the pressure and burden on employees. Adopting single-sign on (SSO) as an authentication scheme is another example of a user-friendly policy, as it reduces the number of unique passwords employees must remember at one time.
Likewise, considering how cybersecurity policies will impact employees before adoption can help to prevent attrition in compliance. One way to do so is to include employees in discussions surrounding the development and/or selection process so decision-makers can better understand how certain protocols or software may impact workflows across departments.
Implement controls to check or minimize employee error
Alongside adopting user-friendly security controls, firms should also implement controls to check or minimize employee error in the case employees do not comply with proper security controls. This should include a combination of technological safeguards as well as managerial oversight efforts. Phishing testing is one way to provide employee oversight and reinforce proper cyber behaviors. At the end of the day, firms must recognize that they will not have 100% employee compliance when it comes to following proper cybersecurity policies and procedures. However, having mechanisms in place that track deviated activity and make it difficult for employees to stray off course in the first place, will help to hold employees accountable and make the necessary corrections in behavior.
How we help
ACA Aponix® helps firms to stay on top of their cybersecurity programs. Contact us discuss how we can help assess and strengthen your current program to prevent cyber-attacks caused by employee burnout.