How to deal with repeat cybersecurity offenders

As the cost of security breaches increases, it might only be a matter of time before HR is charged with handling unwitting offenders

A colleague recently told me that his employer used to have a wall of shame for cybersecurity offenders. People who clicked on phishing emails one too many times, shared login details or regularly fired off emails to the wrong recipients had their mugshot in this rogues’ gallery.

There was so much negative feedback that, despite it being a lighthearted initiative, this jokey public shaming didn’t last long. The ‘naughty list’ was, however, privately sent to HR leaders and line managers so they could take remedial action with employees who kept making slip-ups.

However, a second scheme, which rewarded behaviour rather than punished it, was received far more positively. Employees who quickly identified data violations and alerted the right teams via the correct processes were given prizes and regarded as role models.

Does this mean the carrot is better than the stick when it comes to managing employees who repeatedly make cybersecurity mistakes? Intriguingly, my colleague said the results of these two methods were broadly the same – they both worked as effectively as each other when it came to deterring further breaches.

Many security breaches are caused by social engineering, a mental manipulation method that plays on employees’ emotions – boredom, curiosity or the desire to impress – and lures them into following a demand from a purportedly trustworthy source. It might be a vishing (voice-phishing) call from what appears to be the bank, asking for a PIN, or a phishing email from someone masquerading as the tax office, requesting login details.

Research conducted by Willis Towers Watson and ESI ThoughtLab in 2018 shows the vast majority of cyber incidents result from employee behaviour and human error. A large proportion of these errors are induced via social engineering. So how can HR teams address this issue and manage repeat offenders?

One method is to run simulated phishing attacks. Employees receive a fake phishing email and a phish-prone percentage of staff are identified. Training sessions raise awareness of the techniques scammers use, staff are phished again, and the process goes on.

Many HR teams report that this ‘test and educate’ approach cuts the number of employees duped by con emails. Others warn simulated phishing, if not done sensitively, can erode trust.

Another technique is to preselect employees that belong to a high-risk group and provide extra support. The controversial element here is what makes someone risky. It’s understandable if they work in IT or finance, handling confidential information, but what about an employee’s previous track record? If they’ve ever recycled passwords, accessed the server of another department or mistakenly copied the wrong people in to emails, no matter how long ago, these past mistakes could inform their risk profile.

And what about their performance at previous organisations? HR officers may soon ask for someone’s cybersecurity track record when they ask for references. The HR community needs to debate these issues carefully.

The common thread here is being able to identify employees who present a risk, knowing what level that is and using these facts to organise appropriate support. Talking to HR leaders, it seems that this support nearly always involves awareness-raising, testing and training. There is far less focus on using disciplinary action or employment terms to manage cyber risk.

But, with daily reports of employee-related breaches and the crippling ICO fines that follow, it is potentially only a matter of time until HR directors – as a key part of the executive leadership team tackling cyber risk – will soon change their approach to reflect the more punitive framework that GDPR is imposing on UK organisations.

Phil Chambers is chief operating officer at Metro Communications