The Importance of Employee Reporting in Cybersecurity

The 2017 Uber hack that was discovered thanks to a vigilant employee is still heard in cybersecurity circles whenever the conversation turns to employee vigilance and reporting. In the now-famous hack, a vigilant employee reported that another employee was accessing unauthorized records and stealing sensitive customer data. Uber cybersecurity teams promptly swung into action, but investigations were to later reveal that information pertaining to over 57 million users and 600,000 drivers was exfiltrated. Uber took the unprecedented step of paying USD 100,000 to the hackers to destroy the data.

As cybersecurity leaders urge employees to ‘see something, say something’, and a ‘speak up’ culture on a variety of subjects becomes more pronounced in organizations, the role of employee reporting in cybersecurity is garnering more importance by the day.

At the core

Employees process organizational data in various capacities on multiple occasions during a workday. This translates as multiple opportunities for them to either protect that data or to create, advertently or inadvertently, vulnerabilities that will compromise that data.

For a long time, organizations focused on the last part, citing incidents and statistics to substantiate the claim that employees were the Achilles heel in the cybersecurity chain. Certainly, the facts seemed to make the case.  The World Economic Forum (2) reported that  95% of all cyberattacks can be traced to human error. As many as 74% of CISOs identified that human error (3) is the most significant vulnerability in cybersecurity, and 80% considered human risk, particularly negligent employees, as a key concern.

Happily, however, things are now being looked at differently. Gone are the days of employees being regarded as the weak link in the cybersecurity chain. Instead, a different mindset prevails. A slew of measures from training and awareness to empowerment, has ensured that employees are now the pivot for building a strong cybersecurity culture that will ensure much-needed cybersecurity resilience (1).

The role of human behaviors and organizational entities

It is worthwhile looking at human behaviors in the context of a discussion on cybersecurity culture and the spirit of employee reporting. The complexity of human behavior and the role played by certain organizational entities are important factors to consider when building a cybersecurity culture around employees, that will especially facilitate timely and consistent reporting. Human nature is complex, with each persona exhibiting varied characteristics and behavioral patterns forged by one’s past, one’s views, experiences, expectations, and even by society. Harvard Business Review (4) lists some of the human behaviors, that can be influential when building a cybersecurity culture around employees.

• Past behaviors are often repeated and regularly applied to present and future tasks
• The outside world is often referred to for clues as to how to act when faced with uncertainty
• There is an inner need in people to attain the unattainable or rare, and people are known to expend extra efforts to realize these needs
• People tend to gravitate in terms of their behavior to those who are similar to them or appeal to them
• Authority plays a big role in people’s behavior, with most likely to follow instructions or advice given by someone in power

Forbes (5) goes further, emphasizing that the behaviors of certain organizational entities like the C-Suite members, IT department, Help Desks, Communication teams, and even peers play an important role in shaping employee behaviors. Employees tend to look to these entities for clues, advice, and guidance on areas that are new or unfamiliar to them.  Undesirable responses or behaviors on the part of these entities can have a negative impact on the behaviors of employees.

Building an employee-centric cyberculture

In 2023, thought leader Gartner (6) listed human-centric security design amongst the top trends for cybersecurity, articulating the high possibility of even well-laid-out cybersecurity programs failing in the event of employees’ perspectives and challenges not being factored in. Organizations that have realized this are therefore approaching the challenge of building a strong cyberculture amongst employees with a studied approach.

Amongst the first steps is to realize and channel the immense potential of employees as influencers and force multipliers when it comes to cyber hygiene. Cofense Intelligence’s (7) studies reckon that even a single employee reporting a malicious email can spiral into a host of emails being acted on by others, thus creating a flood of similar precautionary actions. Employees are therefore being empowered and encouraged to report suspicious activity.

Yet the culture-building process calls for a balance of technological defenses and long-term employee engagement. They are the twin requirements for effective and solid cyberculture, with the latter necessarily being treated as ‘part of the solution, and not the problem’.

Harvard Business Review’s article (4) on fostering a strong cyberculture suggests the following measures.

• Ensuring employees sign a security policy that covers judicious handling and non-disclosure of organizational data, and mandating them to report suspicious activity or incidents
• Leaders in the organization should demonstrate good cyber practices, as they tend to be emulated by employees
• A culture of reciprocity to be carefully built, so threat intelligence sharing is practiced and optimized
• Highlighting organizational information that is highly sensitive and needs to be protected by a workforce that has a sense of belonging and ownership
• Creating role models of exemplary cyber behavior, and appointing cybersecurity champions, so employees endeavor to emulate them
• Reducing complexity in cybersecurity practices to minimize employee resistance, and productivity losses due to fatigue and burnout
• Conducting regular and value-based training
• Establishing a strong reporting system with due consideration for anonymous reporting
• Fostering a spirit of positivity rather than resorting to accusatory behaviors during forensic discussions and lessons-learned sessions

The challenges

The role of HR cannot be discounted in the effort to build a robust cyberculture. Yet despite the advent of strong HR systems in organizations, less-than-desired success is sometimes experienced in the process of developing an optimal cyberculture. Some of the major reasons cited for this are:

• Lack of commitment from top management to address both technology enhancement and employee integration
• Absence of a robust, continually updated technical solution for cyber incidents
• Sheer lack of awareness on the part of employees as to the problem-in-the-making
• Innate tendency of employees to avoid reporting on the premise that the suspicious activity may not be severe, or is the responsibility of the IT or cybersecurity team
• Fear or apprehension of retribution after calling out malicious actors, or fear of being shamed for letting down a colleague
• Unaddressed overwhelming work detail resulting in fatigue and burnout of employees

Final words

While incentivizing employees to report instances of phishing and other suspicious or malicious activity is indeed followed in many organizations, the cybersecurity industry would do well to take a leaf out of the plant construction business playbook. The latter has literally made safety a way of life. From safety committees, safety managers, safety audits, daily safety meetings, safety awards, and safety drills, the industry practices it all.

It is time that the mature cybersecurity industry follows suit. After all, as with the implications of a safety incident in a plant site, the devastation that can be caused by not reporting a cyber incident could be just as crippling.

References:

• Cybersecurity And The Human Factor: What Is Each Employee’s Role? (forbes.com)
• Building A Security-First Culture: The Key To Cyber Success (forbes.com)
• Cybersecurity in Organizations: The Essential Role of Employee Par… (tr.im)
• Your Employees Are Your Best Defense Against Cyberattacks (hbr.org)
• Cybersecurity And The Human Factor: What Is Each Employee’s Role? (forbes.com)
• Putting The Employee Experience First In Cybersecurity Training (forbes.com)
• Importance of Employee Reporting in Cybersecurity | Cofense