Skip to content

Why Workers Violate Cybersecurity Policies

Some cybersecurity risks cannot be solved with technology. This is one of them. It’s tied to productivity. And it’s more predictable (and fixable) than you might think.

Long Read

The radiological technicians had a problem. Each time one of them wanted to access medical records on their hospital’s shared computer system, they had to individually log on. The
system and software were so old, the logon process could take up
to five minutes.

Their fix: Whoever arrived first on the shift would log in under their ID. And whoever was the last one would log out.

“They didn’t mean any harm,” says Clay Posey, who as chief research scientist at the cyber consulting firm Beyond Layer 7 interviewed the team about their cyber hygiene habits. “They weren’t trying to
create a confidentiality breach.” But their actions created the potential for one.

From employee to insider threat

Such an insider threat is known as “non-malicious noncompliance.” It is one of the common ways workers violate cybersecurity policies. “They knew what they were doing was against policy,” says Posey, who is also an associate professor of information systems at the Brigham Young University Marriott School of Business. “But security rules that were deemed to be good got in the way of productivity and workflow. So this group simply created a work-around.”

Know your IT risk posture

In another age, that ingenuity might be applauded. But not today when cybercriminals and nation-state hackers are constantly probing endpoints and network vulnerabilities, looking for logins, access
to sensitive data, and ways to spring lucrative ransomware attacks
on victims.

In fact, insider threats like the one at the hospital are often the result of employee stress, the need to get the job done, and even misguided altruism. That’s according to a June 2020 study by Posey and others, published by the National Science Foundation, in which his team studied the cyber behavior of newly remote workers. They found that remote work (which continues to be the default work mode for millions) has created more opportunities for these security compromises.

Scott Shackelford, chair of IU-Bloomington’s Cybersecurity Risk Management Program, who was not involved in the study, says, “Generally, these issues are due to a lack of either understanding, concern, or stress and haste. And that’s an open backdoor invitation to the bad guys. “It’s not uncommon, for example, for fraudsters to contact employees late on a Friday afternoon, or over a holiday break, when they know worker attention will be distracted,” he says.

It’s a key cybersecurity risk that cannot be solved with technology. It can only be solved by addressing the humans in the system. IT teams can design better mousetraps, but if they do so in a vacuum—without considering the worker at the keyboard who is now part of a distributed network ecosystem outside the protective corporate perimeter—it’s bound to end in lost cheese.

How remote workers really treat cybersecurity protocols

Posey’s study of more than 330 remote workers from a broad range of industries, found that IT departments often have a limited understanding of how their rules might interfere with people’s workflows or create new sources of stress. The study, which relied on self-reporting over a two-week period, found that 18% of cybersecurity policy violations were motivated by a desire for one or more workers to help each other. Overall, 67% say they failed to adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.

It’s not uncommon for fraudsters to contact employees late on a Friday, or over a holiday break, when they know [workers] will be distracted.

Scott Shackelford, chair, Cybersecurity Risk Management Program, IU-Bloomington
The reasons given for these breaches are telling. Among the top three were “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done.” Combined, they accounted for 85% of reported intentional security rule breaking.

Indeed, remote work seems to boost the risk for non-malicious noncompliance among employees. This can range from workers downloading unapproved software to their company laptop to allowing family members to use company equipment. People are also accessing sensitive data on their mobile devices more frequently when working from home.

As a result, organizations are struggling with how to reinforce cybersecurity compliance.

Understanding the psychological burden of work-from-home security

Among the most pernicious cybersecurity problems that organizations face with today’s remote workforce are email phishing scams, a.k.a. business email compromise (BEC). Here’s how it can work: An attacker posing as a supervisor or close co-worker emails an employee an urgent request to transfer funds. The time pressure, and the desire to help, can push workers to break protocol and make these transfers without verifying the request.

Protecting an organization from cyberattacks means not just instituting a verification policy for large transactions, but also educating employees on why security protocols matter, minimizing the extent to which they impede daily work, and providing guidance on what to do when protocols conflict with getting the job done.

As remote work continues for millions of workers, cybersecurity experts say that managers should be vigilant about the potential psychological burden that employees face working under the systems that monitor them. Surveillance systems, like tracking
tools and keystroke monitoring, might feel particularly intrusive
at home. Even if there’s no direct fallout, research suggests that the added stress could indirectly make people more likely to break security protocols.

[Read also: Remote work increases data privacy concerns]

Business and tech leaders should be sure to involve their employees in the creation of new security measures, evaluation, and implementation. Posey says IT teams must strike a balance between what he calls “avoidance thinking and tolerance.” Rather than using punishment for a security violation, managers should accept that workers will make mistakes.

“Stuff is going to happen, and managers should make a concerted effort to understand the root cause of that,” he says.

Using more carrot and less stick in cybersecurity training for workers

In fact, IT and security teams can benefit from workers who are naturally curious and want to understand the reasoning behind their cumbersome security policies, Posey says. Teams should understand that—unlike malicious attacks and unexpected supply chain vulnerabilities—many employee-driven breaches stem from an attempt to balance security and productivity, and they often result from entirely predictable human behavior.

[Read also: Managing software supply chain risk starts with visibility]

Security teams must educate workers on the prevalence of non-malicious violations. But it needn’t (and shouldn’t) stop there. Understanding what motivates employees, and involving them in the process of developing and user-testing security policies, can go a long way toward getting them to step up and help. And, most important, business and tech leaders must work to ensure that cybersecurity protocols don’t hinder employee productivity.

“The majority of people just want to get their job done,” says Posey. “They don’t go into work every day and say, ‘Hey, how can I screw stuff up?”

Holly Rosenkrantz

Holly Rosenkrantz is a former White House and business reporter for Bloomberg News. She specializes in analytical and investigative research, covering legal, finance, security, healthcare, and technology issues.