Why Employees Make Risky Choices

By: Arieanna Schweber | 8/31/2015

Many reports have been coming out pinning most of the blame for data breaches on people, whether it’s inadvertent human error or malicious behaviour. As many as 90% of all security incidents are tied back to “people” - mistakes, phishing, bad behaviour, lost stuff, etc. According to our own study, many employees put data at risk in small but ultimately significant ways, such as modifying default settings, accessing personal email, online banking / shopping, social media, public WiFi, or file sharing. With a growing recognition of the risks posed by employees, we must ask: why are employees making risky choices that defy corporate security policies?

Kevin Beaver recently explored this topic as well, offering several ideas:

  1. People are selfish - we see this also as a primary driver, where employees willingly ignore policies in order to enhance their productivity. Long-term consequences are not even considered. Take this example recently shared by the FTC of an employee who circumvented existing blocks that prevent the downloading corporate data, instead using a personal website to transfer data outside the network and on to personal devices.
  2. People lack awareness - without knowing why there are restrictions on data access and data mobility, employees are most likely to try to find their way around security defences. If people don’t know what the rules are or what is expected of them, they are likely to believe security is “not their job.”
  3. People believe enforcement is non-existant - malicious insiders believe their behaviours will either go undetected or will not result in negative consequences

As Kevin points out in his own article, “it’s up to you to set your users up for success,” by being prepared with an awareness of what data you have, enforceable and well-communicated policies, and necessary support technologies. We share some of our thoughts on employees and data security in our whitepaper, ‘The Enemy Within - Insiders are still the weakest link in your data security chain.’

Financial Services