Fighting against a culture of fear in cybersecurity

Hotel spyware is capturing stealth screenshots of personal data from hotel booking systems. Vulnerabilities in cellular networks are being used to spy on individuals. Risk is everywhere – and for organisations across industries, that makes it very easy to build a culture of fear around security operations. 

Some organisations do this deliberately. There’s a misconception that instilling fear, uncertainty and doubt into employees will motivate them to be vigilant and diligently follow security protocols – because fear is an important motivator for human behaviour. 

In reality though, fear and uncertainty can do more damage than good to a company’s overall security posture.

Why is fear bad for security? 

If you instil in your team the fear that if they don’t follow security measures perfectly every single time they interact with your network they risk exposing sensitive client data to hackers, they won’t actually be afraid of that data being exposed. What they’ll really be scared of is being held personally responsible (or being blamed) for the data being exposed. 

That means they’re more likely to feel shame or worry when they don’t follow best practices; they’re more likely to keep secrets, rather than being honest when they’ve made a mistake because their primary goal is to protect themselves. 

Fear leads to irrational decision-making

When a human being feels fear, they’re not in the best frame of mind to make rational, logical decisions. So in the face of a security risk, feeling fear about the repercussions can drive panicked decision-making that prioritises their emotions rather than a bigger picture view of long-term security. 

This could affect the way a team member navigates a network; for example, how they deal with potential phishing emails, or what they do when a multi-factor authentication request appears unexpectedly on their device. 

Uncertainty and doubt cause hesitation and poor choices

When an employee is uncertain about their role or doubtful of the efficacy of the security measure they’ve been trained to follow, they might avoid making decisions at all; or make decisions that oppose their training, because they don’t trust what they’ve been taught. 

And when an employee doubts that the security measures they’ve been trained to follow are really effective or relevant, they might make poor decisions that override their training. If an organisation repeatedly tells its team that phishing emails are impossible to spot, for example, before laying out a protocol for dealing with phishing emails – then they’ve laid the foundations for mistrust in the protocol, because employees won’t trust their own abilities to identify malicious emails.

How to build a more positive cybersecurity culture in your organisation

It’s critical that organisations make their employees feel confident that security is possible – because that’s the only way to encourage proactive engagement with security measures. 

This is true even when you’re communicating security information after a breach has happened. Instead of focusing on the most catastrophic outcomes, build your communication around what can be done to solve the problem, protect the organisation and its people, and prevent a similar breach from happening again. 

Clarity and transparency in security training and awareness programs is also key. And this means you have to follow through with every piece of information – offering a complete picture, instead of a murky, confusing view of what happens when a security procedure is implemented. 

Don’t just show employees how to disclose a vulnerability or a security error; show them what happens after they disclose it too; step-by-step. 

Equip your team with the information and skills they need to feel confident in the security practices you’re asking them to engage with. Be clear about their role, and what happens when something goes wrong. Don’t make them feel like security is impossible. And don’t leave them worrying that their job or reputation will be at risk if they make a mistake.

Join us at Black Hat MEA 2024 to immerse yourself in the global cybersecurity community.