Over 50% of Employees Fear Reporting Cybersecurity Mistakes Finds ThinkCyber Study

• According to a ThinkCyber study, over 50% of employees fear reporting cybersecurity mistakes in the workplace owing to potential repercussions from the organization.
• Most organizations’ key concerns include sharing user credentials, clicking on malicious links, and sharing company data with external entities.

A recent study by cybersecurity firm ThinkCyber has highlighted concerning trends in workplaces related to cybersecurity. Employees are hesitant to report security mistakes due to a fear of disciplinary actions. Such trends could lead to significant consequences, such as security breaches arising from unreported vulnerabilities.

The study focuses on workplace cultures that punish employee mistakes rather than create a learning environment. Disciplinary actions raise concerns not just about immediate drawbacks but also about their long-term impacts on career development.

See More: Google’s Updated Advanced Protection Program: Passkey Security for High-Risk Users

Key Insights

The study comprised responses from 163 cybersecurity professionals, including senior cybersecurity managers, CISOs/CIOs, and other IT decision-makers. Some of the key insights from the survey are:

• 53% of employees were clicking on potentially malicious links in emails
• 53% of workers shared corporate data outside of the business
• 51% of workers also shared usernames and passwords
• 49% of companies could not identify user groups carrying out the concerning activity
• 42% of employees felt their organizations could not show that security awareness training is changing workplace security practices.
• 50% of employees felt that reporting a mistake would not be free from repercussions
• 39% of workers think that only executives and security teams are focused on security practices
• 60% of workers receive security training around once a year
• Employees also believe that organizations lack support for those who report mistakes, discouraging open communication.

Such findings could negatively impact employees, resulting in stress and anxiety further exacerbated by a lack of support. Organizations with a punitive work culture are less likely to see reports of security incidents. Management’s failure to communicate security policies consistently and clearly worsens the problem.

Employees may need help understanding the importance of reporting security mistakes or the correct way to make a report. Poor reporting can lead to vulnerabilities cybercriminals can exploit. Poor reporting also results in a loss of valuable data that companies could use to mitigate future incidents, highlighting the importance of optimized training programs.

Ways to Make Training More Effective

• Deliver ongoing training: According to ThinkCyber, more than annual training is needed. Employees should receive security awareness training more regularly to stay current with the latest cyber threats.
• Drip-feed content: When respondents were asked how they would like to receive security awareness training, most said they wanted to keep their knowledge fresh and that frequent information dissemination in small quantities gives the best results. This helps improve engagement and bolster awareness and learning outcomes.
• Measure engagement levels and progress: Organizations must measure engagement levels, which indicate progress. Measuring behavioral impact shows the effectiveness of the training, minimizes risk, and highlights user groups that display risky behavior.

Strategies to Foster a Safe Reporting Environment

• Develop a non-punitive reporting policy: Set clear guidelines that support learning from mistakes rather than punishing them to ensure employees understand that the focus is improving security, not assigning blame.
• Aid open communication: Encourage open communication about security incidents through mediums like regular meetings. Companies can also provide anonymous reporting channels to help employees feel more secure.
• Develop regular training programs: Use real-life case studies to showcase the need for reporting and how it could prevent more significant breaches.
• Lead by example: Urge management and senior IT staff to exhibit desired behavior. Recognize and reward employees who report incidents.
• Create feedback loops: After employees report incidents, provide feedback on how their report aids security measures. Use data from reported incidents to optimize security protocols.
• Use technology to support reporting: Implement tools for automated detection and reporting of various security incidents. Leverage AI and machine learning to analyze incidents and gain insights on preventing similar issues.

Addressing the fear surrounding making reports of security mistakes can help organizations create a more resilient and proactive cybersecurity environment. Encouraging transparency and learning will mitigate risks and empower employees to contribute positively to their company’s security posture.

LATEST NEWS STORIES

• Massive Breach Compromises Call Records of Millions of AT&T Customers, Snowflake Under Scanner
• Proposed CISA Rule for Reporting Cyberattacks Faces Resistance
• Cisco Talos Report Reveals Critical Insights in Ransomware Trends
• Intuit Plans to Lay Off 1,800 People and Hire New Talent with Focus on AI