- According to a study by ThinkCyber, more than 50% of employees are afraid to report cybersecurity errors in the workplace due to potential repercussions from the organization.
- The main concerns for most organizations include sharing user credentials, clicking on malicious links, and sharing company data with external entities.
A recent study by cybersecurity firm ThinkCyber has highlighted worrying workplace trends related to cybersecurity. Employees are hesitant to report security errors for fear of disciplinary action. These trends could have significant consequences, such as security breaches resulting from unreported vulnerabilities.
The study focuses on workplace cultures that punish employee mistakes rather than creating a learning environment. Disciplinary measures raise concerns not only about their immediate consequences, but also about their long-term effects on professional development.
See more: Google’s updated Advanced Protection Program: Passcode security for high-risk users
Key ideas
The study included responses from 163 cybersecurity professionals, including senior cybersecurity managers, chief information and IT security officers, and other IT decision makers. Some of the key findings from the survey include:
- 53% of employees clicked on potentially malicious links in emails
- 53% of employees shared corporate data outside the company
- 51% of workers also shared usernames and passwords
- 49% of companies were unable to identify the user groups that carried out the activity in question
- 42% of employees felt their organizations could not demonstrate that security awareness training is changing workplace safety practices.
- 50% of employees felt that reporting an error would not be without repercussions.
- 39% of workers think that only executives and security teams are focused on security practices
- 60% of workers receive safety training approximately once a year
- Employees also believe that organizations lack support for those who report errors, which discourages open communication.
These findings could negatively impact employees, leading to stress and anxiety, which would be exacerbated by a lack of support. Organizations with a punitive work culture are less likely to receive reports of security incidents. Management’s failure to communicate security policies clearly and consistently makes the problem worse.
Employees may need help understanding the importance of reporting security errors or the correct way to do so. Poor reporting can lead to vulnerabilities that cybercriminals can exploit. Additionally, poor reporting results in a loss of valuable data that companies could use to mitigate future incidents, highlighting the importance of having optimized training programs.
Ways to make training more effective
- Provide ongoing training: According to ThinkCyber, more than just annual training is needed. Employees should receive security awareness training more regularly to stay up to date with the latest cyber threats.
- Gradual dissemination of content: When respondents were asked how they would like to receive security awareness training, the majority said they wanted to keep their knowledge up to date and that frequent dissemination of information in small amounts gives the best results. This helps improve participation and reinforce awareness and learning outcomes.
- Measure engagement levels and progress: Organizations should measure engagement levels, which indicate progress. Measuring behavioral impact shows the effectiveness of training, minimizes risk, and highlights user groups exhibiting risky behavior.
Strategies to promote a safe environment for reporting
- Develop a nonpunitive reporting policy: Establish clear guidelines that support learning from mistakes rather than punishing them to ensure employees understand that the goal is to improve safety, not assign blame.
- Encourage open communication: Encourage open communication about security incidents through means such as regular meetings. Companies can also provide anonymous reporting channels to help employees feel safer.
- Develop regular training programs – Use real-life case studies to demonstrate the need for reporting and how this could prevent larger breaches.
- Lead by example: Urge management and senior IT staff to exhibit the desired behavior. Recognize and reward employees who report incidents.
- Create feedback loops: After employees report incidents, provide feedback on how their reporting contributes to safety measures. Use data from reported incidents to optimize safety protocols.
- Use technology to support reporting: Implement tools for automated detection and reporting of various security incidents. Leverage AI and machine learning to analyze incidents and gain insights into how to prevent similar issues.
Addressing the fear of reporting security errors can help organizations create a more resilient and proactive cybersecurity environment. Encouraging transparency and learning will mitigate risks and empower employees to positively contribute to their company’s security posture.
