Punishing Employees Won’t Improve Password Security
By Julia O’Toole, CEO and Founder at MyCena explains why sanctioning employees for failing phishing tests is failing business
Proofpoint’s annual report on phishing recently revealed that the UK is by far the worst culprit for disciplining employees that fail cybersecurity tests. In fact, 42% of employers inflict monetary penalties on staff that engage with real or simulated phishing attacks and 29% even lay off staff. These figures are both far higher than the global averages at just 26% and 18%.
Unsurprisingly, the report also highlighted an increase in the number of attacks year on year. In the UK, 91% of respondents revealed that they had faced phishing attack and 84% reported seeing at least one email-based ransomware attack.
In recent years, companies have increasingly put pressure on their employees to maintain strong password hygiene, using strong unique passwords for every account and not falling victim of phishing attacks. The reality is that punishing employees, whether it verbally or financially is misguided, and it certainly won’t secure your business. Amid an increase in cyber threats, it’s about time business leaders stop blaming their employees for their own cybersecurity failures and take back control of the digital keys to their own network.
Taking back control and eliminating phishing
The data from Proofpoint’s report reflects a misunderstanding on the part of organisational leaders. The first mistake companies make is allowing staff to set up their own personal passwords, unknowingly relinquishing their access control rights to their employees, while setting them up for failure. Within the widespread transfer of risks and liabilities coupled with an expansion of their digital footprint, lies the root cause of the ever-growing cyber-pandemic. By blaming other people for their own mistakes, C-suite members refuse to face their own.
In fact, the thinking around passwords needs a complete overhaul. Imagine an employer allowing each employee to create their own personal keys to access company buildings, elevators, floors, doors and data rooms. That’s exactly what’s happening when an employee uses their personal password to access a network and the critical parts of a business that cybercriminals are targeting.
In the physical world, when an employee starts a new job, the company hands him or her the keys, fobs and cards required to access the different parts of the building. When the employee leaves, the company takes back the keys, fobs and cards, ensuring the employee no longer has access to the company assets. Throughout their time working for the company, management has full responsibility and control of who can access what.
By asking employees to create their own digital keys to enter the different parts of their digital network, companies set themselves up to lose control of their digital infrastructure, from the moment their employees were handed the responsibility of their access keys.
When the onus doesn’t fall on an employee to manage their own access to the building, it seems nonsensical that it should fall on them to manage their own access to a network where crippling damage can be done.
Attacks are increasing in both sophistication and frequency
Phishing attacks are getting more sophisticated and harder to spot than ever before. Being able to perceive cyber threats is a challenge for even the most experienced and cyber-aware users. Your employees won’t all become cybersecurity experts, nor should they be expected to be. The current situation has put an untenable pressure and stress on the employees for no good reason.
We know that over 80% of data breaches start with a legitimate password, placing the onus on the employee rather than the organisation is counterproductive and financial punishments won’t ensure that it doesn’t happen again.
Instead of forcing employees to remember dozens of complex passwords for various access points, adapt your technology to support employees in only using strong unique and encrypted passwords that can’t be shared or phished. Not only will it mean recapturing control of access points and cybersecurity, but it will also mean relieving your employees from an immense mental pressure. Passwords don’t need to be kept in people’s head.
Ensuring cyber-resilience
Strong, unique and encrypted passwords can be controlled by an organization and used by employees who never have to think of them, type them in or remember them. Punishing employees for human error is not sustainable. Making your digital access security reflect your physical access security means that employees aren’t left to take responsibility for an entire organization’s security.
Julia O’Toole
Julia O’Toole is the founder and CEO of MyCena Security Solutions, a breakthrough solution to manage, distribute and secure digital access. An inventor and author of several patents, Julia uses maths, neuroscience and technology to research and design simple yet innovative solutions for complex problems. Julia’s areas of research and expertise include cybersecurity, collaboration and search. Julia founded MyCena in 2016, which has since become a market leader in segmented access management and safe password distribution. With its ground-breaking patented security system, MyCena protects companies from the risks of password error, fraud and phishing, loss of command and control, ransomware, and supply chain cyberattacks.