Cybersecurity: Why a culture of silence and driving mistakes underground is bad for everyone

Creating a cybersecurity culture in which employees are scared to come forward about potential cybersecurity mistakes just creates more problems in the long run - especially if cyber criminals have breached your network.
Written by Danny Palmer, Senior Writer

Cybersecurity works best when people know that their corporate information security team will be sympathetic to mistakes. That's because, if someone suspects they may have clicked a phishing link or fallen victim to a cyberattack, they're much more likely to be open about it – and that helps the whole organisation stay secure against malicious hackers.

Organisations face potential cyber threats on a daily basis as criminals attempt to breach networks using various methods, including phishing, in an effort to gain usernames and passwords, or even to lay the foundations for a malware or ransomware attack.

The nature of cyber defence means that an attacker only needs to be successful once in order to find an opening. Often, that opening can come in the form of an employee unintentionally falling victim to a phishing email, an incident that, if left undetected and unchecked, could have significant consequences for the organisation as a whole.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Organisations should, therefore, be understanding with employees and encourage them to contact their information security team if they suspect they might have fallen victim to a phishing attack or any other potentially malicious activity.

"The last thing I think we want to do – whether people are at home or in the office – is is to create a sort of culture where you drive incidents or mistakes underground," David Emm, principal security researcher at Kaspersky, told ZDNet Security Update.

"Because actually as an IT department, you want to know if somebody clicked a link and they shouldn't, you want them to ring you up and say, 'I think I've done something silly, I didn't realize I clicked on a link' – great OK, we can manage that now we know about it."

There's a risk that if people are worried they'll be punished for making a cybersecurity mistake, they won't come forward to talk about it in the first place – and that's only going to cause more serious issues, especially if cyber criminals have managed to infiltrate the network.

"If people don't want to tell you, because they think they're going to get into serious trouble, it just goes underground and you have no visibility of that," said Emm.

And if organisations don't have any indication that there could be malicious activity within their network, they can't look for it, meaning a malicious hacker could be inside the network for a long time, laying the groundwork for a significant cyberattack.

SEE: GDPR: Fines increased by 40% last year, and they're about to get a lot bigger

So making sure employees feel comfortable coming forward about potential incidents, and that the information security team is going to be sympathetic – rather than punishing them – is key to helping the whole organisation stay safe from cyberattacks.

"Trying to encourage a feeling whereby people feel enabled or empowered to say things is really important, because that way, if you have visibility into it, you can manage it," said Emm.


Editorial standards