Want To Be Secure? Let People Make Mistakes

One of the things people forget about cybersecurity is how hard it is to stay on your guard.

We know that “urgent” emails can be scams, or that the bank employee asking for your details isn’t always genuine. But the slightest lapse can lead to us making a terrible mistake.

The danger of scams

A man's face is half-obscured by a mask

Every so often, you’ll hear about a hack which started as a phishing message.

An employee falls for a scam email and causes disaster for the company they work for. This happens thousands of times a day in some form or another.

When this happens, there’s a tendency to blame the employee. People will say, “How could anyone fall for that?”

A padlock sits on top of a keyboard

The answer is the same reason people fall for scams in real life: we get caught off guard.

Anyone can be scammed, from government officials to ethical hackers, and those who think they’re immune are usually the easiest targets.

We wouldn’t blame someone for falling victim to a real-life con. But our computer systems are connected in such a way that if one person falls for a digital scam, it could ruin our whole organisation.

In a situation like this, some companies start throwing around terms like “negligence” and “incompetence”. This is a massive mistake, because blaming the victim makes us even less secure.

A smartphone shows a padlock on its screen and the text "Secured"

We can’t punish our way into security

One way that companies try and secure themselves is through “phishing tests”.

These are services which send out fake (but convincing) scam emails to their employees. When someone falls for one, they’re typically made to take training.

There are a few things wrong with this approach.

For a start, training should always be proactive, and never associated with the crime of making a mistake.

We aren’t born knowing everything, and when someone slips up, they shouldn’t feel like they’re being reprimanded.

A man shouts angrily into a phone

It also creates a culture of distrust among workers.

The IT department is no longer a bunch of friendly nerds who’ll sort out technical problems. They become bogeymen, ready to swoop in and punish people at the first opportunity.

Whether this is accurate is irrelevant: it’s a perception, and perceptions matter.

Most damningly of all, an oppressive culture makes people more hesitant to admit a genuine mistake to their organisation. 

A fishing hook set against the sky

In the minutes following a successful phishing attack, every second is crucial.

Which would be more constructive in a situation like this: an employee covering up their mistake, or telling you what happened?

The more a worker likes their employers, the more likely they are to follow security advice. For this reason, while punishing employees might work in the short term, it could be disastrous in the long term.

A man ponders on something while looking towards the camera

So what do we do instead?

Positive reinforcement works better than punishing people. Otherwise, all we’re doing is creating fear.

Our free training courses were created with this in mind. They’re fun and gamified, assuming no prior knowledge.

We recommend you use it like any training should be used: not as a reaction to perceived negligence, but as a way to empower your employees.