Why Do Your Employees Indulge in Risky Online Behavior?
- By Erich Kron, KnowBe4
- November 25, 2024
Roughly three-quarters of employees resort to risky online behavior at work. This can involve anything from using entertainment or streaming services online and sharing personal information and passwords to downloading malicious or unauthorized applications, backing up work documents on unauthorized cloud storage, or visiting gaming or gambling websites. But do you know what’s worse? Most users do this willingly, knowing of its high risk.
Why employees engage in risky online activities
According to research, there are a multitude of psychological factors that contribute to risky behavior among employees:
1. Overconfidence / Optimism bias: Employees indulge in risky online behavior due to optimism bias, convinced they are immune to any potential harm or threat. This overconfidence extends beyond their actions, including a misplaced trust in the organization’s security measures. This false sense of safety can lead to employees taking greater risks.
2. Complacency: Employees tend to become accustomed to doing things a certain way, especially when workloads are repetitive. As a result, they underestimate the risks involved and may erroneously assume cybersecurity measures are readily present.
3. Social learning: For social acceptance, employees naturally observe how their peers behave. These observations help them understand behavioral norms. However, they may also influence the perception of what constitutes risk. If a user witnesses an individual sharing a password, the user may do the same.
4. Risk creep: Studies show that if individuals engage in risky behavior without serious consequences, they may feel emboldened to continue doing so. If someone downloads an unauthorized application and no system or person is there to alert them, then it’s likely the behavior will continue.
5. Convenience: Emailing a sensitive attachment is far more convenient than uploading it and sharing the link or password in two separate emails. Sometimes, the convenience of doing something a certain way can put organizations at risk.
6. Urgency: The pressure to meet a specific deadline and the desire to save time can lead to people cutting corners on security rules and processes. For instance, it’s much easier to simply download a tool rather than wait for permission from IT.
How can you curtail risky behavior?
Security awareness and behavior are distinct from each other. We all know the danger of using a phone while driving, yet most people still do so despite being aware of the risks. To bring about meaningful change, try following these best practices:
1. Cultivate a culture of security: Cultivating a culture of security means going beyond just educating your workforce. It means targeting users’ attitudes, perceptions, and behaviors about security and embedding security in the organization’s fabric. It also means being more humane and less punitive. Half of employees fear reporting cybersecurity mistakes. Culture is always instilled from top down. Leaders must learn to walk the talk and make a personal effort to include security in their everyday conversations.
2. Implement real-world training exercises: Learning about risk and encountering one are two completely different things. Employees should know what risk looks like in the wild and the actions they should take against it. Conducting phishing simulations and other real-world exercises can help identify risk-prone users, reinforce the need to remain cautious and build security instinct and muscle memory in employees.
3. Gamify to build interest: Who says cybersecurity has to be boring or needs to be forced upon? If organizations leverage gamification (contests, rewards, prizes), they can make the learning process more interactive and engaging. For example, running a “spot the deepfake” contest (using websites like whichfaceisreal.com) or a “spot the phish” challenge can invoke fun and a competitive spirit among employees.
4. Deploy tighter security controls: Use technology controls to prevent users from doing risky things. For example, use a secure web gateway to prevent employees from visiting non-work related websites; use phishing-resistant multi-factor authentication to add an additional layer of protection against credential theft; use an advanced email security solution that can detect phishing attacks; use data leakage prevention to prevent unauthorized sharing of sensitive data.
5. Ensure policies and procedures are user-friendly: Individuals often bypass security measures because they believe such policies will impede their work. On the flip side, if security procedures are tailored to accommodate employee requirements, there is a higher probability that they will appreciate and adhere to the company’s regulations and guidelines.
Mitigating risky behavior might sound difficult, but it’s not impossible. By understanding the motivations driving employee risk-taking, developing security protocols and training that prioritize employee needs, addressing essential safeguards such as password management, and cultivating a healthy security culture, organizations can earn cooperation from their employees and foster a more accountable and resilient workforce.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/BrianAJackson
Erich Kron, KnowBe4
A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, Erich Kron is a security awareness advocate for KnowBe4. Author and regular contributor to cybersecurity industry publications, he was a security manager for the U.S. Army’s 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications. Erich has worked with information security professionals around the world to provide the tools, training, and educational opportunities needed to succeed in information security.