Employee or employer: who’s to blame for a cyber breach?

Imag­ine your foot­ball team has just nar­row­ly lost a game. Who’s respon­si­ble for the defeat? Is it the goal­keep­er who let the ball slip through their fin­gers in the first half, or the strik­er who missed a sit­ter in the clos­ing min­utes? Maybe it’s the manager’s fault for fail­ing to devise and imple­ment a suc­cess­ful game­plan?

Now take this anal­o­gy and apply it to a busi­ness try­ing to assign blame in the after­math of a cyber attack. Does the blame lie with the IT depart­ment for fail­ing to put effec­tive cyber defences in place, or is it the fault of the CEO for not imple­ment­ing a cul­ture of cyber aware­ness? Per­haps the employ­ee who clicked the link that con­tained mali­cious soft­ware should take respon­si­bil­i­ty? 

Many busi­ness­es opt for the lat­ter choice. Research from secu­ri­ty com­pa­ny Tess­ian found that 21% of the 2,000 US and UK work­ers they sur­veyed have lost their job in the past year after mak­ing a mis­take that com­pro­mised their company’s secu­ri­ty.

Impact of remote working

Iri­na Brass is asso­ciate pro­fes­sor in reg­u­la­tion, inno­va­tion and pub­lic pol­i­cy at Uni­ver­si­ty Col­lege Lon­don. She says the fig­ures show “a knee-jerk reac­tion. There’s a lot more organ­i­sa­tions can do to become more resilient before plac­ing the blame on employ­ees.” 

One option is a refreshed cyber­se­cu­ri­ty train­ing pro­gramme that reflects post-pan­dem­ic work­ing pat­terns. While many busi­ness­es pro­vide such train­ing to their employ­ees, often these over­look the new vul­ner­a­bil­i­ties exposed by the tech­nolo­gies that facil­i­tate wide­spread remote work­ing. 

The cloud is one exam­ple. Near­ly four out of ten busi­ness­es have accel­er­at­ed their migra­tion to cloud tech­nolo­gies dur­ing the pan­dem­ic, accord­ing to McK­in­sey, with 86% expect­ing this accel­er­a­tion to per­sist post-pan­dem­ic. 

But as Brass points out, the cloud cre­ates more routes for cyber­crim­i­nals to hack a busi­ness, under­min­ing per­cep­tions of the tech­nol­o­gy as a com­plete­ly secure option.

“It makes the attack sur­face larg­er and more homoge­nous because you have these cloud-based work pack­ages that are the same being deployed to large num­bers of peo­ple, mean­ing that once a hack­er fig­ures out a par­tic­u­lar com­pro­mise, they can apply it to all sorts of repli­cas.”

With more appli­ca­tions and tools being stored in the cloud, more peo­ple require access to it. This means the amount of data the aver­age employ­ee can access has grown expo­nen­tial­ly in a short peri­od of time. 

Cyber­crim­i­nals are exploit­ing this. They’re using the pri­ma­ry ben­e­fit of the cloud – its abil­i­ty to con­nect work­ers to essen­tial com­pa­ny doc­u­ments regard­less of their loca­tion – to access large amounts of data through a sin­gle breach. 

Dangers of consumer devices

This is part of a broad­er set of chal­lenges, stem­ming from the fact that our home envi­ron­ments are fun­da­men­tal­ly less secure than offices. 

The imme­di­ate shift to home work­ing exposed our work lap­tops – and busi­ness­es’ data – to an array of con­sumer-con­nect­ed Inter­net of Things (IoT) devices. Smart prod­ucts in the home – from light switch­es to speak­ers – expe­ri­ence an esti­mat­ed 12,000 hack­ing attempts each week, accord­ing to Which?. Small­er, cheap­er prod­ucts often lack many of the secu­ri­ty fea­tures of tra­di­tion­al com­put­ers, mak­ing them eas­i­er for cyber­crim­i­nals to hack. 

The threat posed by lax secu­ri­ty sys­tems for some IoT devices would ordi­nar­i­ly be iso­lat­ed to con­sumer data. But with wide­spread remote work­ing, these devices now act as a gate­way for hack­ers look­ing to access a company’s data. 

“Most con­sumer devices have dubi­ous secu­ri­ty spec­i­fi­ca­tions,” Brass says. “They have default pass­words and real­ly short soft­ware update peri­ods, if at all. And if a hack­er com­pro­mis­es them, they scan a work device that is on the home net­work for vul­ner­a­bil­i­ties and an employ­ee won’t even be aware it’s hap­pen­ing.” 

The cor­re­la­tion between the shift to remote work­ing and ris­ing cyber attacks sug­gests it’s the unique work­ing envi­ron­ment caused by the pan­dem­ic, rather than employ­ees them­selves, that’s dri­ving the spike in breach­es. The solu­tion may be fur­ther train­ing for employ­ees on the impor­tance of cyber hygiene both in and out of work­ing hours. 

Legal questions

The legal­i­ty of dis­miss­ing an employ­ee after they make a cyber­se­cu­ri­ty mis­take also war­rants con­sid­er­a­tion. Accord­ing to Mon­i­ca Atw­al, man­ag­ing part­ner and employ­ment law spe­cial­ist at Clark­sle­gal, an employer’s rea­son­ing for dis­miss­ing an employ­ee usu­al­ly falls into two cat­e­gories: gross neg­li­gence or gross mis­con­duct. 

These rea­sons require an employ­er to prove that on the bal­ance of prob­a­bil­i­ties the employ­ee is either cul­pa­ble of seri­ous care­less­ness or they engaged in a clear and seri­ous vio­la­tion of the company’s rules. 

The lack of reg­u­lar train­ing offered to employ­ees on cyber­se­cu­ri­ty under­mines the valid­i­ty of these rea­sons, Atw­al adds. A study from Soft­ware Advice ear­li­er this year found that 44% of SMEs have not trained their team on cyber­se­cu­ri­ty since 2020, despite 62% of them expe­ri­enc­ing an increase in cyber attacks in the same peri­od. 

The absence of a “sys­tem­at­ic approach to cyber­se­cu­ri­ty” weak­ens an employer’s argu­ment for dis­missal by gross neg­li­gence, in Atwal’s opin­ion, because of the need to demon­strate that an employ­ee received “inten­sive train­ing” on a “reg­u­lar basis” and still act­ed care­less­ly. 

“An employ­ee would clear­ly have an unfair dis­missal claim and you would get short, sharp shrift from an employ­ment judge if you said you received one train­ing ses­sion on some­thing that is so com­pli­cat­ed and nuanced,” she says. “It’s like being accused of steal­ing when you don’t even know you’ve tak­en some­thing.”

Pinning the blame

Despite the risk of being sued for unfair dis­missal, Tessian’s research shows that many employ­ers believe employ­ees should shoul­der the blame for any cyber inci­dents that hap­pen on their watch. 

Point­ing to the fact that the same research found that 29% of busi­ness­es have lost a client because of a cyber mis­take in the last year, Jeff Han­cock, found­ing direc­tor of the Stan­ford social media lab, notes many employ­ers are try­ing to “pin the blame” by dis­miss­ing employ­ees after a breach. 

“Busi­ness­es want to pro­vide a rea­son for why it hap­pened to their clients,” Han­cock adds, “but this comes at a long-term cost because employ­ees are going to be less like­ly to report attacks in the future.”

A pol­i­cy of dis­miss­ing any employ­ee who makes a cyber mis­take risks instill­ing a cul­ture of fear around report­ing such inci­dents. In time this would leave a busi­ness more vul­ner­a­ble to hack­ers, as employ­ees become unwill­ing to report any breach­es or vul­ner­a­bil­i­ties they’ve noticed in the company’s cyber defences. 

The solu­tion, in Hancock’s opin­ion, is a com­pa­ny cul­ture where cyber­se­cu­ri­ty is at the fore­front of every employ­ee’s mind, regard­less of their posi­tion. This would involve reg­u­lar train­ing ses­sions on the lat­est hacks cyber­crim­i­nals are using. It would be under­pinned by an under­stand­ing between employ­ers and employ­ers that cyber breach­es are ulti­mate­ly inevitable and not the respon­si­bil­i­ty of any one per­son. 

In a sim­i­lar way to a foot­ball team deal­ing with a loss, a breach is rarely the fault of a sin­gle indi­vid­ual. Good cyber­se­cu­ri­ty requires input from every employ­ee at a busi­ness, whether they’re the CEO or an intern. 

How human psychology causes cyber attacks 

Many high-pro­file cyber­se­cu­ri­ty inci­dents paint a mis­lead­ing pic­ture of the type of attack busi­ness­es should expect. Most breach­es don’t result from a hack­er cir­cum­vent­ing an organisation’s cyber defences. Instead, cyber­crim­i­nals are increas­ing­ly incor­po­rat­ing social engi­neer­ing tech­niques into their scams, rely­ing on psy­cho­log­i­cal manip­u­la­tion, rather than tech­nol­o­gy, for suc­cess. 

Phish­ing emails are one exam­ple of a social engi­neer­ing scam. These employ a wide range of psy­cho­log­i­cal manip­u­la­tion tech­niques to fool the recip­i­ent of the email to open a link or attach­ment that con­tains mali­cious soft­ware. 

Some prey on peo­ples’ fears, anx­i­eties, or emo­tions, caus­ing them to low­er their defences and let a hack­er into their sys­tem. Oth­ers invoke a sense of scarci­ty or urgency to goad a vic­tim into act­ing quick­ly with­out think­ing. 

Jeff Han­cock, found­ing direc­tor of the Stan­ford Social Media Lab, regards cyber­crim­i­nals as “good psy­chol­o­gists”, giv­en the wide range of manip­u­la­tion tech­niques they use. How­ev­er, as Han­cock points out, there are cog­ni­tive vul­ner­a­bil­i­ties that are unique to the work­place, mak­ing busi­ness­es par­tic­u­lar­ly vul­ner­a­ble to these types of scams. 

“With busi­ness­es, the hack­ers will know about social rela­tion­ships. You can eas­i­ly see who someone’s boss is, and because many peo­ple are def­er­en­tial to author­i­ty, this cre­ates a good attack for hack­ers look­ing to get employ­ees to share con­fi­den­tial infor­ma­tion.” 

Wide­spread home work­ing has exac­er­bat­ed this issue, with many employ­ees los­ing the face-to-face time with their man­agers that’s essen­tial for trust build­ing. Cyber­crim­i­nals exploit this by cre­at­ing scams that prey on an employee’s desire to impress senior team mem­bers and the vul­ner­a­bil­i­ties unearthed by iso­la­tion.

Often these scams lead the vic­tim into a deci­sion-mak­ing process that is quick, com­plex, and vul­ner­a­ble to emo­tion­al per­sua­sion. This com­bi­na­tion is high­ly effec­tive when the vic­tim is unable to speak to their col­leagues and get a sec­ond opin­ion on a sus­pi­cious-look­ing email.

Such vul­ner­a­bil­i­ties add to the per­cep­tion that staff are often the weak­est link in an organisation’s defence against cyber­crim­i­nals. How­ev­er, the vul­ner­a­bil­i­ties posed by human psy­chol­o­gy in cyber attacks are rarely giv­en the same atten­tion as the tech­no­log­i­cal threats from hack­ers in cyber­se­cu­ri­ty train­ing. 

Good cyber­se­cu­ri­ty is about more than tech­nol­o­gy. With social engi­neer­ing scams on the rise, busi­ness­es need to cre­ate a train­ing pro­gramme that informs employ­ees both what cyber attacks look like and the think­ing that under­pins them. 

Are employees careless or ignorant about cybersecurity? 

When an employ­ee enables a breach, employ­ers may need to deter­mine whether it came about through care­less­ness or igno­rance about the threat posed by hack­ers. The answer could guide any dis­ci­pli­nary action. 

How­ev­er, reach­ing a con­crete answer is a com­plex process, par­tic­u­lar­ly giv­en the num­ber of cyber attacks cre­at­ed on a dai­ly basis. Accord­ing to the AV-Test Insti­tute, approx­i­mate­ly 450,000 new pieces of mal­ware are detect­ed every day. Hack­ers send out rough­ly 3.4 bil­lion phish­ing emails dai­ly to poten­tial vic­tims. 

The range and fre­quen­cy of attacks on busi­ness­es com­pli­cates the train­ing process for employ­ees. Team mem­bers must be con­stant­ly vig­i­lant about a vari­ety of threats that prey on both the tech­no­log­i­cal vul­ner­a­bil­i­ties of the busi­ness and the psy­cho­log­i­cal vul­ner­a­bil­i­ties of its staff. 

Despite the increase in attacks by hack­ers, Julien Sori­ano, chief infor­ma­tion secu­ri­ty offi­cer at Box, believes employ­ees must be aware of the data they have access to.

“You can­not sep­a­rate igno­rance from care­less­ness in the wake of a cyber attack. Igno­rance is care­less­ness,” he says. “It is the employ­ees’ respon­si­bil­i­ty to do the right thing and com­ply with their employ­er’s pol­i­cy and under­stand their role and respon­si­bil­i­ty in keep­ing their access safe.”

The lock­down-dri­ven surge in remote work­ing dra­mat­i­cal­ly increased the amount of data employ­ees can access. Vir­tu­al­ly overnight, busi­ness­es shift­ed to a work from home sys­tem, mean­ing their data was placed into a more vul­ner­a­ble envi­ron­ment at the same time many employ­ees had greater access to crit­i­cal doc­u­ments and infor­ma­tion than ever before. This increased both the like­li­hood and reper­cus­sions of a cyber attack, mean­ing employ­ees need to be hyper-aware of the threat posed by hack­ers. 

How­ev­er, with remote work­ing here to stay, the only care­less or igno­rant actor in the after­math of a cyber inci­dent is the employ­er who fails to pro­tect their data, says Alex Rice, co-founder and CTO at HackerOne.

“Inevitable human error is nev­er a sat­is­fac­to­ry expla­na­tion for a cyber­se­cu­ri­ty inci­dent. If a human sim­ply click­ing a sin­gle link caused a breach of your com­pa­ny, your secu­ri­ty prac­tices are to blame, not the human,” he says. 

“If a com­pa­ny acts to its best abil­i­ty to reduce cyber risk, it is not anyone’s ‘fault’ beyond the cyber­crim­i­nals that chose to com­mit the crime. We need to get out of this tox­ic blame cycle that dis­cour­ages trans­paren­cy and con­tin­u­ous improve­ment.”

---