CIPD. Dealing with repeat offenders

24 January 2019

Phil Chambers, Metro COO, in the CIPD's People Management Magazine discussing how to deal with cyber security offenders


How to deal with repeat cybersecurity offenders

As the cost of security breaches increases, it might only be a matter of time before HR is charged with handling unwitting offenders.

A colleague recently told me that his employer used to have a wall of shame for cybersecurity offenders. People who clicked on phishing emails one too many times, shared login details or regularly fired off emails to the wrong recipients had their mugshot in this rogues’ gallery.

There was so much negative feedback that, despite it being a lighthearted initiative, this jokey public shaming didn’t last long. The ‘naughty list’ was, however, privately sent to HR leaders and line managers so they could take remedial action with employees who kept making slip-ups.

However, a second scheme, which rewarded behaviour rather than punished it, was received far more positively. Employees who quickly identified data violations and alerted the right teams via the correct processes were given prizes and regarded as role models.

Does this mean the carrot is better than the stick when it comes to managing employees who repeatedly make cybersecurity mistakes? Intriguingly, my colleague said the results of these two methods were broadly the same – they both worked as effectively as each other when it came to deterring further breaches.

Many security breaches are caused by social engineering, a mental manipulation method that plays on employees’ emotions – boredom, curiosity or the desire to impress – and lures them into following a demand from a purportedly trustworthy source. It might be a vishing (voice-phishing) call from what appears to be the bank, asking for a PIN, or a phishing email from someone masquerading as the tax office, requesting login details.

Research conducted by Willis Towers Watson and ESI ThoughtLab in 2018 shows the vast majority of cyber incidents result from employee behaviour and human error. A large proportion of these errors are induced via social engineering. So how can HR teams address this issue and manage repeat offenders?

To read more please go to CIPD's People Management Magazine