Blaming employees and potentially ruining their lives in the wake of a cyber attack is not the way to do things.
Cyber-attacks are inevitable, no one can claim they are 100% un-hackable or infallible, so when employers blame their staff in the event of a successful attack, they are doing more harm than good.
Imagine you work in a job where you’re responsible for budgets and the transferring of finances. You’ve had a busy day and are both tired and under a lot of stress as your line manager puts yet more pressure on you to get that report done on time.
An email arrives in your inbox. It’s titled ‘URGENT’ and is ‘from’ the managing director. You open it and the message it contains is one that sounds legitimate. After all, it's not the first time the sender has made a request for a transfer of funds at the last minute.
Not wanting to land in hot water with the MD and in your already stressed state, you carry out their request. Your shift ends and you head home thankful that you’ve survived another day. The next morning your phone rings, it’s Debs from accounting. She’s spotted something wrong with the company accounts. A large sum of money was transferred to a fraudulent account by you!
Panic starts to set in and as you arrive in the office you’re confronted with furious managers and perhaps even the police. It turns out that you’ve been the victim of a sophisticated social engineering and spear phishing attack. You lose your job, (your defence of having no cybersecurity training is ignored) and what’s worse is that your now former employer is seeking legal action against you for the lost money.
This scenario can happen to anybody but depending on how a company handles such situations the fallout can be hugely damaging.
Such a scenario, unfortunately, occurs all too often. Research conducted by Kaspersky Lab in 2018 which was based on 5,878 interviews with businesses of varying sizes from 29 countries around the world showed that 31% of incidents led to employees losing their jobs.
In the UK, an employer recently made the headlines for taking one of their staff members to court for making a mistake that anyone can make. She fell victim to a spear phishing attack where the attacker posed as the company’s managing director and ordered her to transfer funds to an account created by the fraudster. The employee did as requested, resulting in the loss of over a hundred thousand pounds.
As a result, the company pinned the blame on the mortified employee. Following a tribunal, the employee was fired from her role and is now being sued by her former employer for the money that they couldn’t recover.
The way this employee has been treated is not only unfair but if the employer is successful in the courts it also sets a dangerous precedent.
Companies need to ask themselves; Would the CEO or directors be held accountable in the same way? If not, then that will create an ‘us vs them’ type of culture.
Creating a culture of fear in an organisation not only makes it more likely that employees will be too afraid to report any incidents due to them fearing for their jobs and the threat of possible legal action but it also makes the likelihood of more cyber attacks being successful.
Such a culture could also increase the chances of creating malicious insiders who out of resentment to their employers’ strongarm tactics and blame culture may be more inclined to cause trouble deliberately.
The introduction of cybersecurity training is often hailed as the best way to reduce the risks of such social engineering and spear phishing attacks. Training shouldn’t be just a box ticking exercise but it also doesn’t mean that an attack will never succeed. We’re all human and prone to making mistakes. No amount of training can provide a 100% guarantee that such attacks will not work.
“Firms should get their own cybersecurity in order before blaming the staff. As the CEO of a midsize business, I am sure someone will eventually do the wrong thing, including me.
Some Phishing emails are incredibly sophisticated these days and when you factor in the everyday pressures of work and stress it’s easy to see how someone can make a mistake.
It’s our responsibility to be able to cope with it. We need to support staff with cyber awareness training and ensure we’ve got everything in place for operating in the digital age,” said David Carroll, CEO at XQ Cyber.
Rather than cultivating cultures of fear where employees are too scared to report anything suspicious or are too afraid to ask pertinent questions, employers should instead, encourage an open and honest one.
Blaming employees for mistakes that anyone can make gets you nowhere and is likely to hinder any incident response.
If people aren’t honest about what has happened then how are you able to get a clear overview of what has occurred and respond effectively?