• October 17, 2016

Attitude Problem: The Security Risk of Low Morale

A data breach could be a sign of bigger cultural problems.

A data breach caused by the vulnerabilities of your employees—e.g., phishing email scams or compromised mobile devices—might seem like strictly a knowledge problem. But it could be bigger than that: a morale problem. A study earlier this year by Willis Towers Watson found that organizations experiencing these types of data breaches “are judged by their employees as lacking a learning culture that flourishes with high integrity and puts the customer at the center of business activity.”

The study examined opinions from over 450,000 employees in 12 organizations that suffered significant data breaches, which it found to be due to poor employee security habits. Willis Towers Watson compared those responses with those of workers from high-performance companies.

Falling Short

Companies that experienced breaches were viewed by employees to be the most deficient in three areas:

  • Training: Training for the work they do and for improving skills and learning new skills to advance in their roles.
  • Company Image: Corporate social responsibility, environmental responsibility, regard from customers, and integrity when dealing with external stakeholders.
  • Customer Focus: A culture responsive to customer needs that fosters proactive efforts to gather and act on customer feedback. “A lack of emphasis on the customer … likely sets the stage for poor decision making related to business risks and may undermine the vigilance needed to successfully counteract attempts to steal online customer information,” Willis Tower Watson says.

Many breached enterprises do train employees on cybersecurity, but these efforts do not necessarily resonate through the ranks. To be effective, enterprise data, security awareness, and educational programs must engage and motivate employees to stay focused on how their behavior impacts cybersecurity over the long-term, not just during and immediately after training exercises.

Owning It

The fast-changing nature of cybercrime demands that employees throughout the organization take ownership of enterprise data security. For IT staff in particular, that means keeping up to date on new threats, and being recognized and rewarded when an employee goes outside the bounds of his or her job to thwart these threats.

Inadequate data security performance can be an indicator of an inability to create an ongoing learning environment, Willis Tower Watson says. Research links a learning culture with best-in-class business performance, says Robert J. Grossman, professor of management studies at Marist College. That’s because companies that learn fastest and adapt well to changing environments fare better than others. Top-performing enterprises have employees who excel at critical thinking, are strongly motivated to learn, and are effective collaborators. So, if substandard data security practices are widespread, this “may reflect a lack of emphasis on staying current with emerging business needs and trends,” according to Willis Towers Watson.

The takeaway: If employees are not stepping up their vigilance against cyber attacks, it could mean that your enterprise has to work harder on creating a learning environment to become a top-performing organization. And, if “not-part-of-my-job” syndrome permeates the organization on enterprise data security, it’s time to ask if this attitude extends to other important matters.

Like this story? Read more about keeping your employees up to date on security measures and the future of threat intelligence.