Why user buy-in is key when it comes to setting firms up for security success

Encryption denoted by a series of gold padlocks lined up side-by-side, with the center padlock cracked down the middle, showing a break
(Image credit: Getty Images)

Cyber security threats are, as ever, escalating as the attack surface grows, and businesses continue to face a barrage of threats from all kinds of sources, leveraging all manner of attack vectors. While strategies such as patch management may work to reduce the chances of suffering at the hands of one of the most common security vulnerabilities, there is still a worrying air of inevitability about a cyber attack. Why? Quite simply, employees – not hackers – can often be the biggest threat and one that’s beyond your control. There are many reasons why – but one of the main triggers is a lack of buy-in among the workforce.

With organizations taking important steps to protect the workforce, including implementing factors like two-factor authentication (2FA) and single sign-on (SSO), all under the umbrella of zero trust, for many, this might be deemed a lot of change all at once. Of course, taking key steps like this are, without question, the right thing to do, but taking technical steps won’t be enough to guarantee you’re plugging the gaps. Without adequate employee training, communication, and consent, the workforce will be less inclined to swallow what may be perceived as more barriers to productivity and obstacles.

Employees are the organization’s biggest threat

People are the biggest cause of cyber security incidents, according to Gartner’s latest annual cyber security predictions, published in January. “We’re not generally being confronted by super hackers with novel “lock picking” skills,” the report said. “If you look closely it could be employees that are leaving openings for hackers to do damage."

Whether it’s through phishing or through social engineering, there are a litany of reasons why employees may be one of the most vulnerable points in your defensive outlook. Indeed, no matter how good your protections are, if you don’t prime your personnel for doing their part, they can end up opening up the gates to all manner of dark possibilities. 

Despite a gradual move away from passwords, spearheaded by big tech companies, they’re still a major headache for enterprises. These are, by far, the biggest weaknesses in an organization’s network, according to Specops’ latest Weak Password Report. The most common terms used in passwords were ‘password’, ‘admin’ ‘welcome’ and ‘p@ssw0rd’, according to the report. The research found that the majority (88%) of passwords used in successful attacks were 12 characters or less, and the most common - at 24% - were eight characters. 

The rampant rise of mobile devices in the workplace – before and since the pandemic – has also led to a broader attack surface. With employees – and businesses – favoring the flexibility that hybrid work brings, the idea of a traditional network perimeter has fizzled out and has been replaced with a broader and more sprawling and difficult to manage employee and device ecosystem. 

Why the future is likely to pose more risks

Gartner also found last year that many technologists within businesses are actively circumventing security controls because they’re perceived as adding too much friction. The organization’s latest board of directors’ survey, meanwhile, suggested there was a 7% increase in risk appetite at board level. In other words? The c-suite is feeling a shade more lucky – or at least willing to absorb some risk in the interests of creating a smoother user experience for technologists and employees.

We’ve seen this play out in real time over the last few years – with the changes to hybrid work and more flexible device policies leading to greater risk that needs to then be managed in some way. With many businesses looking to become yet more digital, forward-thinking and dynamic, this will only serve to increase the level of risk businesses will undertake, and will also create more opportunities for hackers to exploit the ‘insider threat’ of employees. This is, of course, unless the enterprise can deploy the right strategies and frameworks to mitigate any additional risk they decide to consciously take on.

“Employees understand their enterprise’s cyber security guidelines and know how to avoid creating risks,” says Deepti Gopal, director at the analyst firm. 

“Instead of developing hard-to-follow policies and guidelines in silos, engage with your business leaders. By opening up this channel you are encouraging feedback on those policies. This will empower you to create a program that enables businesses to get to their end goal faster and safely. Otherwise, you run the risk of pushing employees to bypass the security guidelines.”

How to boost employee buy-in

There are many things senior IT professionals, including CISOs, can do to mitigate the insider risk, but achieving buy-in is essential. There is, as Gartner’s report identified, a lack of “human-centric design thinking” when it comes to implementing the tools and systems in place. And, on face value, they’re seen as excessive controls, policy and rigidity which, in turn, can lead to cyber security-induced friction that reduces the quality of the user experience, and simply encourages highly risky workarounds.

“The lack of human-centric design thinking does not impact just the cybersecurity team; it also contributes to fatigue and friction that the rest of the organization experiences, ultimately driving up insider risk,” the report summarizes.

One key method cyber security leaders can use to reduce this friction is to be involved in the design phase and beta testing of tools and processes that will be implemented in the business. They should experience the impact of the controls from that critical user experience point of view and feedback constructively to make sure the need for security is balanced with the need to preserve the users’ user experience. 

“What makes insider risk management especially tricky is the need to balance people, processes, and technologies,” writes former Microsoft CISO Bret Arsenault in the Harvard Business Review.

“Powerful tools can help impede, detect, and respond to insider risks — but they won’t address the root causes. That’s where detailed onboarding, security training, team-building exercises, and work-life balance programs are useful. Building a healthy work environment helps reduce the risk of an employee intentionally engaging in dangerous behavior.”

Promoting a strong culture around collaborative design, role-modeling and risk-aware decision making with all stakeholders is also key, and is the best way to slow the deluge of embedded risks in businesses that are undergoing rapid change. Where there are incidents of human error, too, these should be used as a bellwether for process-related fatigue, and whether any stress or burnout among employees may be contributing to high-risk activity.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.