It felt like every day of 2020 presented us with yet another thing we needed to do differently. In fact, just the switch to working from home was enough to completely alter our work styles. And while the switch to remote work did gift us a number of upsides, it also contributed to a significant uptick in negative workforce behaviors.
What are Negative Behaviors?
At some point, we all behave in ways that expose organizations to risk. Negative workplace behaviors contribute to organizational risk, as these behaviors by definition go against protective rules and guidelines. In the tech and cybersecurity space, this doesn’t just refer to written rules, but also to implied rules that reflect both individual and organizational cultures. And while we naturally think of behavior-based risks as being of a malicious nature, risky behavioral profiles also include inadvertent behaviors and that sometimes may be even laudable. You can think of these behaviors as falling into three distinct profiles, with each having a different effect on organizational security:
- Slackers: Everyone is a slacker at some point. Slacker behaviors include browsing on the web or conducting personal business on the company network—all things that seem minor but end up exposing the company to risk. These behaviors contribute to accidental insider threats.
- Go-Getters: Much beloved by company leadership, these employees are so productivity-obsessed that they are continually plotting (often unsanctioned) creative workarounds to get things done faster. This might mean using shadow IT or personal cloud applications, or even using unapproved removable media to facilitate their workflow.
- Evildoers: These malicious insiders are motivated to cause harm to an organization. Their motivation may be external, such as in corporate espionage, or in some cases, it may be driven by anger or revenge-seeking. Malicious insiders are often the most talked about insider threats, and who we most often associate with insider risk--even though they are the least common.
The difference between the categories is motivation. Slackers simply lack forethought and attention to detail while Go-Getters are just trying to make quick decisions and take the path of least resistance. The harm that Slackers and Go-Getters can do to an organization is unintended, of course, but still represents a serious threat. Perhaps even a more serious threat than the Evildoers.
Knowing the rules, both written and implied, and then designing behavior-centric metrics surrounding the rules can help us mitigate the impact of these risky behaviors.
A Human-Centric Approach to Reinforcing Good Behavior
Changing behavior isn’t easy. Mandatory training and awareness campaigns generally fall flat. Fear-mongering is also unhelpful and counterproductive, not to mention unempowering. So what can companies do to reinforce behaviors that keep them out of harm's way?
Modeling works. When security and IT teams model good behavior, others often do the same. Our current challenge is ensuring that employees actually see this good behavior when they aren’t working in the same place.
Without that in-person modeling, we have to rely on continuous assessments and communication. Company leaders need to regularly test the organization for vulnerabilities and target their conversations to the specific risky behaviors at play. Then they can follow up with communications around safe habits and the importance of cybersecurity-forward behaviors. Additionally, we can commend individuals who engage in positive security behaviors.
People and technology are inseparable, and when we ignore human factors, we are missing an enormous component of understanding risk and vulnerabilities.
I recently discussed this topic in more detail with Information Security Forum Sr. Security Analyst Daniel Norman. Feel free to watch our Slackers, Go-Getters, & Evildoers webinar via that hyperlink or by clicking the green Watch the Webinar button on the right.