If “a company is only as good as the people it keeps,” why do so many businesses overlook their people when it comes to managing risk?
People are just as important as technology when it comes to keeping organisations safe. Yes, cutting-edge security tools are undoubtedly essential. But they are not infallible. From employees finding shortcuts to complex security measures to the persistent threat of social engineering attacks like phishing, many of technology's weaknesses are, in fact, created or exacerbated by human behaviour.
As organisations invest in ‘cutting edge’ technology to defend against malicious attacks, we urge them to take a more holistic approach to cybersecurity – one that places equal emphasis on human risk strategies and technological defences. In part one of my two-part article, I share how and why organisations benefit from a shift in their approach to risk management and highlight the crucial need to take human factors into account.
Understanding the human behaviour
Human behaviour has a direct impact on risk management outcomes. Individuals may downplay risks or overlook warning signs. Workers may choose to ignore potential risks based on their emotions or perceptions in a given moment. Employees may prioritise factors that are a greater driver for them personally, such as productivity, and thus rationalise taking risks.
I recently experienced the impact of human behaviour firsthand when returning an item and receiving a refund that exceeded the original purchase price. When I explained the situation to the employee, they seemed distressed and hesitated to involve their manager. In this matter, and any affecting a business and their bottom line, workers would ideally feel comfortable raising the issue and seeking support. This employee didn’t, and it made me think: What factors contribute to employee’s reluctance to escalate a situation that may potentially impact the company? Are psychological barriers like fear or embarrassment stopping them? Could their job be compromised?
The situation reminded me that humans work according to the reactions they give and get. It also revealed why it’s so important to acknowledge and address the human element in risk. In doing so, organisations can deep-dive into employees’ motivations and behavioural patterns and take steps to mitigate risk through a more security-engaged culture.
Accounting for human risk
When addressing the complexity of human behaviour within risk management, organisations need to focus on implementing measures that support employees through challenging times. Understanding the triggers, fears, and goals that form core human behaviours is a crucial first step, as these elements frequently shape how individuals perceive and react to risks. Then, organisations must adopt a culture where employees feel empowered to address potential risks and/or raise them freely without fear of retribution. Here’s how:
Understanding employee priorities and capacity
Effectively mitigating risk requires an understanding of employee priorities and capacity. It’s these priorities and urgencies that often drive employees to resort to non-secure methods such as transferring business documents to personal email accounts or sharing passwords because they have a deadline to meet. Although such actions can pose significant risks to organisational security and confidentiality, employees often won’t consider, or will even flat-out disregard, this factor due to stress and pressure.
Protocols, procedures, and support mechanisms
On days when individuals are stressed or working overtime, businesses should reinforce necessary protocols and procedures. Providing easily accessible and digestible guidelines or offering the right support mechanisms can help employees to make good decisions in spite of tough circumstances. Organisations should encourage workers to seek help or advice when needed or step away from tasks for a short time to foster a culture of support and collaboration.
By recognising the pressure team members face and providing adequate resources and support, organisations can help mitigate the likelihood of risky behaviours and promote a culture of security awareness.
Balancing the new world of work with security and compliance
The movement toward BYOD (Bring Your Own Device) has become common in most industries. This represents a significant cultural shift for security professionals. That’s because personal devices, such as tablets, laptops, and smartphones, may lack the same level of security as company-issued equipment, making them more susceptible to malware, unauthorised access, and data breaches. If the security/IT organisation fails to address these realities, employees are more likely to cut corners or circumvent security controls to get their work done. This could include bypassing VPNs, ignoring encryption protocols, using unsecure networks, or forgetting to update security software on personal devices, all of which could result in severe security vulnerabilities.
How to build a better organisational culture and empower employees
Promoting accountability, transparency, and teamwork is key to empowering risk management team members and creating a strong organisational culture. This approach allows employees to take initiative and make valuable contributions to proactive risk-reducing methods. Take the following steps to build a solid foundation for your secure culture:
- Provide the right resources: Make comprehensive training programs, resources, and support networks easily accessible and available to employees.
- Implement a continuous theme of security: Utilise global chat channels (Teams, Slack, etc.), newsletters, and bulletins to keep employees informed and aware of security updates and incidents.
- Use visual aids: Implement ‘incident-free’ clocks (think the ‘accident-free’ clock in Monsters Inc) or forms of gamification like escape room-style training exercises to make risk tracking and awareness more tangible and engaging.
- Introduce a positive rewards system: Encourage more proactive risk management practices by emphasing the importance of risk awareness and proactive problem-solving; reinforce well-handled security events to cultivate a culture of collaborative responsibility.
- Incorporate stakeholders from multiple departments: Highlight the distinction between security and IT to illustrate that security concerns extend beyond technical difficulties and ensure that everyone in the organisation understands their responsibility in minimising risks and protecting resources.
- Highlight the personal relevance of threats: Help employees understand the consequences of security breaches for both them and the business, such as leakage of pay and personal details, to help them ensure realities of security risk resonate.
Cultivating empathy and understanding towards employees and acknowledging that emotions and motivations often drive human behaviour are key to implementing effective risk management strategies. Acknowledging these human drivers, risk professionals can proactively address potential risks and create a culture of accountability and collaboration. In turn, organisations can decrease the impact of human-related risk and safeguard long-term sustainability within the business. Use the tips above to help foster a culture of open communication and empower employees to reduce your organisation’s human-related risks.
If you want to take immediate action to improve your organisation’s human risk management, check out Turnkey’s Human Risk Maturity Assessment to understand your current maturity level and get a clear roadmap for change.
