Blog by Chris Bush, Head of Security, ObserveIT
According to the latest Labour Force Survey, 15.4 million working days were lost due to work-related stress, depression or anxiety last year. At the same time, workplace happiness has been steadily decreasing over the past three years, down to just 41 percent of staff reporting they are happy most of the time (Personal Group survey).
There’s no getting away from the conclusion that employee discontent can seriously impact personnel health and productivity in the workplace. Fortunately, more and more businesses are beginning to sit up and take notice of employee wellness, recognising the issue of “burnout” as more than just a question of workplace morale or a concern for HR.
One of the less obvious, but equally significant, consequences of employee burnout is the increased risk of a security breach initiated by company insiders. Disengaged or overworked employees often act negligently. Indeed, the latest Verizon Data Breach Investigations Report revealed that nearly one-third of all breaches were caused by employee errors.
Previously, businesses targeted their cybersecurity efforts on keeping out the ‘bad guys’ and making sure access to the network was as restrictive as possible. But in today’s digitally connected world, the reality is that personnel across the organisation have access to sensitive data and they can also be an entry point to hackers. From everything from simple USBs and email, to mobile apps and cloud sharing, the many ways that data can leave an organisation also continues to grow – increasing a business’s vulnerability to both accidental and malicious data breaches.
But, companies can’t afford to ignore the risks to security posed by unhappy employees. To address this, all departments in the company need to work together – from HR and legal to IT and operations. An ObserveIT survey recently revealed that although a significant 89.5 percent of UK IT leaders recognise that a happy workforce is more likely to keep an organisation secure than an unhappy one, nearly half (48 percent) of businesses globally still aren’t investing enough in employee happiness and wellbeing.
What can businesses do to tackle the Insider Threat?
Organisations need to connect the dots between employee well-being and cybersecurity. The good news is that by taking a few proactive steps, businesses can rise to the challenge. The first step is to be aware of the causes of burnout and work to mitigate them. According to Gallup, the top five causes of burnout are:
- Unfair treatment at work
- Unmanageable workload
- Lack of role clarity
- Lack of communication and support from their manager, and
- Unreasonable time pressures.
Addressing these factors not only makes good business sense, it also decreases employee discontent and the risk of an Insider Threat resulting from it.
Equally important is the implementation of clear and effective cybersecurity policies, developed with the input and coordination of different departments across the organisation, including IT, HR, and legal. Effective training on those cybersecurity protocols is also key.
It’s worth noting that despite training, burned out employees may still take risky shortcuts when it comes to cybersecurity, if they feel under pressure and are looking at ways to get the job done. For example, although warned against using popular, but less secure, cloud sharing options like Box or Dropbox to transfer data, a tired or frustrated employee may revert to the easiest, rather than most secure, way to transfer files – putting company data at potential risk.
As such, monitoring user activity on company systems is essential, not only to detect problematic behaviour, but also to train employees in real-time, by triggering instant reminders when out of policy activity occurs, and blocking high risk activity outright.
Activity monitoring also provides businesses with behavioural context, speeds up investigations, and enables them to discern behavioural profiles – like being disgruntled or careless – and learn what to look for in the future. After all, these reminders can also be used by HR to support reviews and identify the need for more training or support.
The cyber threat landscape is constantly changing, but people remain at the heart of any cybersecurity effort. When employee well-being is made a priority across the business, the chances of a malicious insider breach are drastically reduced, and staff are far more likely to approach cybersecurity as a team sport. Combined with effective training and comprehensive visibility into user activity, instead of just reacting, employers can take immediate action to protect both their employees and their data – something that’s good business for everyone.