Security Awareness in the Age of Disengaged Employees: An Emerging Risk.

Security Awareness in the Age of Disengaged Employees: An Emerging Risk.


On the last day of Security Awareness Month, I thought it necessary to share a point of view which I have not seen documented anywhere or studied in detail. This short write-up is inspired by conversations with persons who were recently laid off, of which there are many in the past year. I’m an advocate for security awareness training to be clear and acknowledge that attacks have continuously become more sophisticated, making it increasingly difficult to detect and prevent attacks geared at end users. But how do we treat with employees who do not care or are becoming increasingly disengaged? Do we use a Carrot or Stick approach?


Why Don’t they care?

1: Recalling a conversation at an event over 15 years ago when I mentioned getting buy-in from both HR and unionized staff to build incentives into performance appraisals to complete security awareness training. The staff members would not complete the training as they saw it as extra work not included in their job descriptions. Persons who worked in the private sector with no exposure to this type of environment could not comprehend; in fact, one senior manager in attendance said he would never take this approach (incentivizing employees) but instead would read the riot act and make employees complete the training. My initial thoughts were that a big stick approach might work in some environments but not in a unionized environment. Fortunately (or unfortunately), I had the pleasure of experiencing multiple failures trying to implement Security Awareness training before the change of approach, which subsequently resulted in 100% participation and completion, previously 20-30% participation.

?

2: Over the past year, there have been hundreds of thousands of employees who have been laid off for various reasons, which will not be discussed as I promised to make this a short article ??. Certainly, I cannot be the only person who has observed an increasing number of disengaged employees who believe that organizations do not care for them and believe they should reciprocate the same and not care about the organization. Of course, there are arguments which can be posed – their jobs are dependent on a successful and profitable company, but as one person I met recently told me, while she will not do anything malicious, "she got laid off even when the company was making record profits and now rehiring a few months later they got rid of her". Previously, she would take extra care; now, going forward, there won't be that extra due diligence.

?

That conversation was admittedly at a happy hour event and not a scientific study by any means, but the same sentiment was echoed by many at the table, which could not help me think of new challenges for CISOs: Not insider threat as I do not think the person will do anything malicious, but a new type of risk to organizations which we may be feeling the impact but have not yet correlated the root cause as disengaged employees where no amount of security awareness or technology solutions or big sticks can fix I hope that this is a case of happy hour banter for the sake of all of us.

David Bratt

Independent Medical Practice Professional

1 年

Think we are going to see more and more disgruntled employees, laid off or not. The Covid lockdown and the rise of Zoom has caused sustained harm to the brain health of people, manifesting in severe anxiety, especially in those over 50 and employers do not seem to understand this, result? More disengaged employees. That's dangerous.

Ralf Lenz

Network Engineer | GRC | IT Generalist | 12-Language Developer | Technology Strategist | BOFH

1 年

You know what mitigates / tempers the anger and potential risk of involuntarily separated employees? Lump cash settlements for the amount you underpaid them during their tenure. Definitely worked for me, anyway.

?? Jed A. Reay

???? Substance Use Disorder Counselor | Mental Health Services | Group Facilitator

1 年

This is a critical discussion, and I thank you ??Roland Kissoon MBA, CISSP, CCSK for stepping up with the dialog. This is by far the weakest link in the chain of security.

?Roland Kissoon MBA, CISSP, PMP

Cybersecurity Executive | VP Citi : Infrastructure Defense Engineering SASE | Zero Trust | Cloud Security - CNAPP | GRC | Blockchain | Independent Board Director (NED) | Adjunct Lecturer | Open Networker ?? ?

1 年

Tagging Lance Spitzner who in my estimation is the #1 authority on Security Awareness on the planet. Hopefully he may share his thoughts on this particular matter

回复

要查看或添加评论,请登录

?Roland Kissoon MBA, CISSP, PMP的更多文章

社区洞察

其他会员也浏览了