ao link
Business Reporter
Business Reporter
Business Reporter
News
Technology
AI & Automation
Communication
Digital Transformation
Industrial Innovations
IoT
Mobile
Smart Cities
Cyber Security Site
Management
Global Agenda Series
Best of Business
Energy
Future of Work
Healthcare
Human Resources
Future of Enterprise
Retail
Customer Experience
Risk Management
Supply Chain
Finance
FS, Banking & FinTech
CFO
Fraud Prevention
Insurance
Payments
Sustainability
ESG
UN SDGs
Sustainability Talks
Responsible Business
Resources
Print Reports
White Papers
Business Learning
Events
Talk Shows
Supply Chain
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Digital Transformation
Upcoming Episodes
On-Demand
Hosts
Speakers
MarTech
Upcoming Episodes
On-Demand
Hosts
Speakers
FinTech
Upcoming
On-Demand
Host
Speakers
HRTalk
Upcoming Episodes
On-Demand
teiss (Cyber Security)
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Jobs
Search Business Report
My Account
Remember Login
Register|Reset Password
My Account
Remember Login
Register|Reset Password
News
Technology
AI & Automation
Communication
Digital Transformation
Industrial Innovations
IoT
Mobile
Smart Cities
Cyber Security Site
Management
Global Agenda Series
Best of Business
Energy
Future of Work
Healthcare
Human Resources
Future of Enterprise
Retail
Customer Experience
Risk Management
Supply Chain
Finance
FS, Banking & FinTech
CFO
Fraud Prevention
Insurance
Payments
Sustainability
ESG
UN SDGs
Sustainability Talks
Responsible Business
Resources
Print Reports
White Papers
Business Learning
Events
Talk Shows
Supply Chain
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Digital Transformation
Upcoming Episodes
On-Demand
Hosts
Speakers
MarTech
Upcoming Episodes
On-Demand
Hosts
Speakers
FinTech
Upcoming
On-Demand
Host
Speakers
HRTalk
Upcoming Episodes
On-Demand
teiss (Cyber Security)
Upcoming Episodes
On-Demand
Hosts
Speakers
Sponsors
Jobs

Don't let your company culture increase cyber-risk

Risk Management22 May 2024

Dr John Blythe at Immersive Labs offers advice on how to encourage people to report security issues

 

Enterprises have no shortage of cyber-security solutions at their fingertips today. However, even with the latest security technologies at their disposal, organisations should not overlook their workforce’s responsibilities in spotting and reporting threats. 

 

Proactive tools can flag potential threats, but effective security measures depend on employees to escalate these issues. Surprisingly, less than 10% of employees report phishing emails, despite it being one of the most commonly encountered security threats today.

 

This discrepancy prompts two crucial questions - why are so few employees reporting these incidents? And how can organisations bridge this gap?

 

Understanding the barriers to reporting

There are numerous possible reasons why employees do not report security threats. One of these causes is that employees assume someone else will address the issue. This can be because employees are worried about being blamed for the mistake and hope that someone else might take on the responsibility of reporting. 

 

Employees also fear the repercussions of incorrect reports. They might hesitate to report a potential attack, worrying they could be wrong about an email’s malicious nature or fear potential sanctions from their organisation. However, given the high costs of a successful attack, it’s crucial to foster an environment where employees are encouraged to report any suspicious emails, prioritising caution over embarrassment.

 

It’s also common to find staff underestimate their importance in the organisation’s security strategy. Many assume that simply not engaging with a suspicious email fulfils their duty. But, while some employees may quickly spot a phishing attempt, their colleagues might not. Failing to report such incidents allows threat actors to continue targeting others within the organisation.

 

Furthermore, a history of shaming employees for past errors can deter them from reporting for fear they’ve made another mistake. Tackling these barriers is vital as cyber-threats grow more sophisticated. Companies must, therefore, have a culture of reporting and avoid blaming employees who report malicious emails.  

 

Fostering a positive reporting culture 

Establishing an organisational culture that views the reporting of security issues positively is crucial. In an environment where employees feel supported, they are more likely to report incidents fearlessly, without concern for reprisal or judgment. This kind of positive reinforcement is essential for converting employees into active participants in cyber-security. 

 

Leadership is key to nurturing this culture. An effective top-down approach can be implemented by demonstrating the desired behaviours, such as leaders sharing their own experiences with reporting security issues. This ensures everyone understands that reporting is not merely a duty but a vital action to safeguard the organisation and its people, from the CEO to the newest recruit. 

 

Additionally, appointing security champions within various departments can significantly enhance this culture. These champions act as approachable points of contact for their colleagues, offering guidance and support with the reporting process. They also help keep security a frequent topic of conversation, ensuring it remains a priority throughout the organisation. 

 

Also, focusing on positive behaviours, such as reporting rates during simulated phishing exercises, rather than negative ones like click rates, fosters a more proactive attitude and response. This approach encourages employees to report suspicious activity and promotes better overall security hygiene, contributing to a more secure and vigilant organisational environment.

 

Organisational structures to support reporting 

Organisations must treat every reported incident as a learning opportunity rather than a chance to assign blame, using successful reports that have mitigated threats as educational tools to motivate and inform employees. This practice not only fosters a more transparent and proactive reporting atmosphere but also highlights the positive effects of vigilant behaviour on the company’s security posture. 

 

To support this, developing an organisational structure that facilitates reporting is crucial. By establishing the right processes and resources, companies can empower employees and embed a strong reporting culture across the organisation. Here is what companies can do to promote a structure that supports reporting.

 

Educational foundations

Employees often fail to report security incidents due to a limited understanding of what constitutes a threat and its implications. To combat this, organisations must enhance their cyber-security training to cover the mechanics of threats like phishing and malware comprehensively.

 

Training should engage employees through realistic scenarios that demonstrate the severe consequences of security breaches, thereby improving their perception of risk and encouraging active participation in the organisation’s safety. It is vital that employees understand the importance of reporting any suspicious activity to prevent escalation and maintain the company’s stability. 

 

By keeping cyber-security exercising current and compelling, organisations empower employees to take responsibility and effectively contribute to maintaining a robust security posture.

 

Simple reporting mechanisms

To create a responsive security environment, it is crucial to simplify the reporting process by removing barriers like complex systems and unclear instructions. Reporting mechanisms should be straightforward, integrating smoothly into the daily tools and workflows employees use, ensuring that everyone understands their operation and the vital role they play in a robust reporting culture. 

 

Additionally, providing prompt and positive feedback when issues are reported is essential to encourage ongoing participation and reinforce proactive behaviour. Such a feedback loop not only builds employee confidence but also underscores the organisation’s commitment to swiftly and effectively address security concerns, thereby maintaining a secure working environment.

 

By promoting open communication, ongoing cyber-security education, and avoiding penalising employees for errors, organisations can cultivate a culture where employees feel empowered and valued in their critical role in cyber-security.

 

Treating the flagging of malicious or suspicious emails as a pivotal role in limiting escalating cyber-threats can build a positive security culture that pays off in improved resilience.

 

 

Dr John Blythe is Director of Cyber Psychology at Immersive Labs

 

Main image courtesy of iStockPhoto.com and FotografieLink

cyber securityHuman ResourcesRisk Management

Most Viewed

Business Reporter

23-29 Hendon Lane, London, N3 1RT

23-29 Hendon Lane, London, N3 1RT

020 8349 4363

Cookie Policy
Terms of Business
17 Global Goals
Campaign Schedule
Lead Generation Media Kit
Sustainability Report
Contact Us
Privacy Policy
Terms and Conditions
Breakfast Briefing Media Kit
Media Kit
BR Studio
Content Guide
Traffic Drivers
Case Study

© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543

We use cookies so we can provide you with the best online experience. By continuing to browse this site you are agreeing to our use of cookies. Click on the banner to find out more.
Cookie Settings