Lisa Forte, Partner at Red Goat Cyber Security LLP, discusses how blame culture amplifies insider data breaches and recommends steps organizations should take to avoid this.
Transcript:
One of the organizations I worked with recently had this really strange culture where anyone who reported that they'd clicked on a link in a phishing email would be forced to spend an entire hour with the security manager. He would then send around a list at the end of the month of every single person who had clicked on a link in a phishing email, thus shaming them to their colleagues.
The culture of fear in this organization grew and grew and eventually, they had a data breach and they traced this back to a phishing email. No one had reported that they'd clicked on that link because everyone was just too afraid of what would happen if they did. It's far better for your security teams to know that someone has made a mistake than for it to go unnoticed for months and the damage increase.
There are three things organizations can do to overcome this blame culture problem:
The first is to train your staff on why you need to report any mistake you make and that actually, you have a responsibility to report those mistakes.
The second thing is to make reporting really really easy for staff. One company I spoke to got their staff to print off the phishing email, sign it, scan it back in, save it as a PDF, and then email that PDF to the security team. How many people do you think did that? Pretty much zero.
The final thing to do is to make sure that when staff do report, tell them they've done the right thing and congratulate them on their behavior. This is more commonly known as no-fault reporting. There is one exception to this rule of no-fault reporting and that's when it comes to reckless insiders, and these are members of staff who consciously take a risk that they know is a risk to your company's data and security, and it's really important with these individuals that you reiterate to them that this is not acceptable behavior.