The 1 Thing You Must Know About Employees and Social Engineering
They understand the risks involved. Despite that, nearly 25% of employees admitted to ignoring company-promoted cybersecurity best practices. The ignored practices included not storing login credentials and saving company documents onto personal computers.
It’s an unnerving statistic for anyone tasked with protecting a company’s network.
One estimate puts employee cybersecurity training at $290,000. Based on the survey results above, it’s clear that might not be money well spent.
The reasons might be as varied as the organization’s employees.
Cybersecurity and the Individual
A team of researchers out of Duke University sought to better understand how behavioral controls and personality traits affected cybersecurity policies. One goal driving the research: the idea that identifying empirical connections between employee personality type and effective cybersecurity protocol would help develop better cybersecurity measures.
The researchers found that everyone perceives cybersecurity threats in different ways. A person’s personality type drives that perception. In turn, that perception spurs different actions.
For example, take fictitious employee John Smith. John matches the “extrovert” personality profile. Because he does, researches feel he is likelier to violate cybersecurity policies than fellow fictitious employee Bob Williams. Bob’s personality profile suggests he’s more neurotic. And that means Bob’s is a safer bet in this context.
The study used personality types sometimes referred to as the “Big Five.” Other times, the acronym OCEAN references those types. OCEAN stands for Openness (to experience), Conscientiousness, Extraversion, Agreeableness, and Neuroticism.
A brief description of each trait appears below. Alongside them are descriptions from L.F. Zhang that the Duke researchers used.
|Big Five Trait
||Big Five Personality Trait Descriptions
|Openness to experience
||Tend to exhibit open-mindedness, an active imagination, preference for variety, and independence of judgment.
||Tend to distinguish themselves for their trustworthiness and their sense of purposefulness and of responsibility.
||Tend to be sociable and assertive, and they prefer to work with other people.
||Tend to be tolerant, trusting, accepting, and they value and respect other people’s beliefs and conventions.
||Tend to experience such negative feelings as emotional instability, embarrassment, pessimism, and low self-esteem
Their work led the Duke team to compile a list of anticipated reactions from people exhibiting specific character traits. A sampling:
|Individuals LESS LIKELY to violate cybersecurity policies
||Individuals MORE LIKELY to violate cybersecurity policies
- Open individuals with a low sense of Threat Severity
- Conscientious individuals with a low sense of Threat Severity
- Extroverted individuals with a low sense of Sanction Severity
- Agreeable individuals with a low sense of Self-Efficacy
- Open individuals in general
- Extroverted individuals with a low sense of Threat Severity
- Agreeable individuals with a low sense of Sanction Severity
- Neurotic individuals with a low sense of Sanction Severity
An example from the researchers:
“[E]xtroverted individuals with a low sense of sanction severity are not motivated by punishments (such as a receiving a negative evaluation or losing their job). Hence, training for these individuals could de-emphasize sanctions as a part of the training program, especially appeals which focus on the severity of sanctions”
There are limits, then, to a cybersecurity policy with uniform enforcement tactics. It’s like waging half a battle. That’s because different personality types filter the policies and punishments in different ways.
But if that’s waging half the battle, there’s still the other half to wage.
The kind of training the Duke researchers highlighted has yet to emerge. But that doesn’t mean concerned companies and their IT departments are empty-handed.
That’s because of another study, conducted by a different set of researchers. This one found that a lack of employee awareness about security policies is a major issue with which organizations must contend.
If combating a lack of awareness means the difference between a near-miss and a catastrophic cyber attack, then it’s as worthy a battle to wage as any.
But how does a company do that?
Straightforward and Effective Defense
A survey of cybersecurity awareness training calls up three repeating suggestions:
- Foster a culture of “cyber-awareness”
- Provide recurring training
- Keep it simple
Cultivating a cybersecurity-aware culture requires buy-in. That buy-in must come from everyone, from the CEO down to college interns. Measures to ensure associates remain aware of threats and policy violation ramifications may include:
- Periodic organization-wide internal email messages
- A brief presentation during new employee orientation
- Reminders during smaller team meetings
Establishing a culture favorable to employee cybersecurity awareness requires regular training. That helps keep employees engaged. It also provides an opportunity to keep them up to date on the ever-changing threat landscape. A “one-and-done” approach won’t help you keep pace with the bad guys.
It can be difficult to keep effective cybersecurity measures straight. Requiring employees to memorize a manual’s worth of tips and tricks will only frustrate them and prove ineffective.
Effective cybersecurity support from employees will require organizations to change their training. We can help you maintain tight security in the meantime.
Based in the U.S., CTC Technologies, Inc. is an IT solutions provider capable of stepping in to support your IT infrastructure needs. We’re available immediately to help your company improve network performance, mitigate risk, and operate efficiently. Contact us today for a free consultation about the wireless site survey solution that works best for your business.