Is a cybersecurity incident cause for a disciplinary?

Salvatore Anania outlines what employers should do if a member of staff enables a cyber attack

HuberStarke/Westend61/Getty Images

When it comes to cybersecurity in the workplace, both employers and employees have obligations.

It is the employee’s responsibility to comply with the company’s policies, to understand their role and responsibilities in handling data and appropriately dealing with data breaches and cybersecurity incidents.

Conversely, it is the employer’s responsibility to ensure they have an updated data protection and cybersecurity policy in place and a refreshed data protection and cybersecurity training program that reflects current working patterns, the new vulnerabilities exposed by new technologies, and ways of spotting and preventing cyber-attacks.

With regards to current working patterns, the impact of remote working has caused the need to focus on vulnerabilities that are exposed by technologies that facilitate remote working arrangements such as the cloud and Internet of Things (IoT) devices.

As for the cloud, it has created an easy avenue for hackers to hack into a company and target employees. In fact, the cloud has created a more vulnerable environment for critical and sensitive data to be stored and given employees greater access to critical and sensitive data than ever, thus increasing the likelihood of cyberattacks and the need for employees to be trained on the threats posed by hackers.

With regards to threats and targeting employees, most data breaches and cyberattacks don’t happen by circumventing an organisation’s cybersecurity defences. Hackers incorporate social engineering scams via phishing. This means that a hacker relies on psychological manipulation rather than some form of technology to breach an organisation’s cyber defences. These techniques involve, for example, fooling an employee to open an email link or email attachment that contains malicious software.

The rise of remote working has intensified phishing techniques, especially as many employees lose face-to-face contact with their supervisors and rely on emails to make decisions.  Accordingly, organisations need to create training programs that inform employees both what cyber attacks look like and the thinking that underpins them. This sort of training will change the company culture where cybersecurity is at the forefront of every employee’s mind.

The bottom line is that data and cyber breaches are not the responsibility of any one person. If an organisation works towards reducing cyber risk and data loss, corporate culture towards the handling of data/cyber breaches will change – employees will become more aware of what cyber attacks look like, how to respond to them and protect the organisation’s data.

Employers should also note that they can be held responsible for an employee’s actions carried out ‘in the course of employment’. However, if a cyber attack or misuse of data was a purposeful, calculated and intentional act specifically taken by an employee, it may be less likely that the employer would be held responsible for the employee’s actions.

These purposeful, calculated or intentional actions will likely amount to gross misconduct following an investigation and be a fair reason for summary dismissal, and the employee may even be charged with a criminal offence.

However, in reality, cracks in a company’s cybersecurity are exposed when an employee unintentionally weakens the system: falling for high quality phishing scams, using a public WiFi network, or accessing confidential information from an insecure device such as a personal computer. In this scenario, terminating is not always the best option.

Punitive action also discourages other employees from reporting when they do fall for these scams. Instead, it would be in the employer’s best interests to prevent these incidents from occurring in the first place. Having policies, procedures and regular training will help employees to understand their role and responsibilities in handling data breaches and cybersecurity incidents and to avoid this happening in the future.   

Salvatore Anania is an associate at employment law firm Ogletree Deakins