Security Awareness in the Age of Disengaged Employees: An Emerging Risk.

On the last day of Security Awareness Month, I thought it necessary to share a point of view which I have not seen documented anywhere or studied in detail. This short write-up is inspired by conversations with persons who were recently laid off, of which there are many in the past year. I’m an advocate for security awareness training to be clear and acknowledge that attacks have continuously become more sophisticated, making it increasingly difficult to detect and prevent attacks geared at end users. But how do we treat with employees who do not care or are becoming increasingly disengaged? Do we use a Carrot or Stick approach?

Why Don’t they care?

1: Recalling a conversation at an event over 15 years ago when I mentioned getting buy-in from both HR and unionized staff to build incentives into performance appraisals to complete security awareness training. The staff members would not complete the training as they saw it as extra work not included in their job descriptions. Persons who worked in the private sector with no exposure to this type of environment could not comprehend; in fact, one senior manager in attendance said he would never take this approach (incentivizing employees) but instead would read the riot act and make employees complete the training. My initial thoughts were that a big stick approach might work in some environments but not in a unionized environment. Fortunately (or unfortunately), I had the pleasure of experiencing multiple failures trying to implement Security Awareness training before the change of approach, which subsequently resulted in 100% participation and completion, previously 20-30% participation.

?

2: Over the past year, there have been hundreds of thousands of employees who have been laid off for various reasons, which will not be discussed as I promised to make this a short article ??. Certainly, I cannot be the only person who has observed an increasing number of disengaged employees who believe that organizations do not care for them and believe they should reciprocate the same and not care about the organization. Of course, there are arguments which can be posed – their jobs are dependent on a successful and profitable company, but as one person I met recently told me, while she will not do anything malicious, "she got laid off even when the company was making record profits and now rehiring a few months later they got rid of her". Previously, she would take extra care; now, going forward, there won't be that extra due diligence.

?

That conversation was admittedly at a happy hour event and not a scientific study by any means, but the same sentiment was echoed by many at the table, which could not help me think of new challenges for CISOs: Not insider threat as I do not think the person will do anything malicious, but a new type of risk to organizations which we may be feeling the impact but have not yet correlated the root cause as disengaged employees where no amount of security awareness or technology solutions or big sticks can fix I hope that this is a case of happy hour banter for the sake of all of us.