Rooting Out Risk

Organizations with a remote workforce are at higher risk of cyberattacks—but engaging employees in better cyber habits can help.

By Bhushan Sethi

When it comes to battling cyberattacks, tech solutions can only go so far. To truly defend their organization, HR leaders will likely also need to change some risky behaviors and attitudes among their employees.

PwC’s latest Workforce Pulse Survey found that employees are engaging in several red-flag behaviors that could be raising cyber risks for their organizations, especially now that the lines between work and home are fading as more people shift to remote work.

Given that hackers and other cyber criminals most commonly gain access to company systems through employees and their devices, it’s crucial for HR leaders to help their people become more cyber savvy at work and in their own lives. Here are three damaging employee habits HR teams should watch out for if they want to stay vigilant about cyber security.

1.Downloading rogue apps and software. Company rules about avoiding unsecure downloads may be going unheeded. More than a third of employees (37 percent) say they use popular programs and apps on their work devices that their employer has expressly asked them not to use. That number is even higher among millennials (51 percent) and Gen Z employees (45 percent).

2. Not escalating security risks. Fear could be causing employees to hold back on reporting security incidents they may have caused—a big problem when IT needs to contain any potential fallout. Only a quarter of employees (26 percent) strongly agree that they can escalate a security risk they may have caused without fear of reprisal.

3. Using work devices for non-work activities. With so many people working remotely, there’s less separation than ever between work and home—and that could be making employees lax about how they’re using their work computers, phones, or tablets. A quarter of employees, including 39 percent of Gen Z employees, say they use their work devices for personal activities. More than a third, including 44 percent of millennials and 42 percent of Gen Z workers, say they let their friends or family use their work devices.

Good cyber habits complement modern security controls using powerful techniques such as zero trust (going beyond simply protecting the perimeter) and real-time detection and response. Here’s where HR leaders can focus their energy as they help people develop stronger cyber acumen.

1. Help people feel comfortable raising a security risk they may have caused. If fear of reprisal is holding people back from reporting security incidents, work on making them feel safer. Reinforce the message that leaders understand that mistakes happen, and create ways for people to report security risks anonymously. HR can also consider implementing a zero-tolerance policy on retribution so people know there won’t be negative consequences for escalating a cyber risk.

2. Work together to give employees better tools and technology options. If employees are downloading unauthorized software and apps or aren’t complying with security measures, it might be a sign of frustration. Almost half (46 percent) of millennials and Gen Zers say they find it burdensome and restrictive to comply with all the cyber security guidelines at their organization, and more than 60 percent of both groups also say they should be allowed to take more risks with new apps in return for greater ease of use. This may indicate a desire for better technology options, such as apps and tools that make it easier to do their jobs.

Work with employees to gain a clearer understanding of the types of apps and programs they need. For example, now that people are working remotely, they may need better tools for creativity or collaboration. Create ways for people to voice those needs as well as share ideas for programs that could work better: 73 percent of surveyed respondents say they know of systems that would help them produce higher quality work. The better the user experience is for employees, the less likely they are to flout security rules or download substitute apps or programs that may introduce risk.

3. Creative incentives and rewards for developing stronger cyber acumen. Gamification and incentives may motivate employees to adopt better cyber habits and improve their cyber acumen. Those who are motivated by friendly competition may enjoy gamification—the chance to earn points or rewards for good cyber-compliant behaviors or for completing advanced cyber acumen training. Others may appreciate certifications or badges they can include on their resumes and talent profiles.

4. Provide a more compelling case for good cyber habits. Employees may not be buying into the need to be cyber savvy. Only 23 percent say their firm provided a compelling case for why employees need to have good data security habits. It may help to show them how damage from a cyber attack can ripple outside of an organization. For example, help them see how an attack could affect them personally—such as harming their financial situation or exposing sensitive personal information, like medical data or emails. Explain the societal implications, too, like the devastation a cyberattack can have on public health, democracy, government systems, citizens’ trust, and more.

Lately, it seems like there’s a new headline-making cyberattack on an organization every week. At a time when cyberattacks are rising, employees are your best line of defense. Help them break risky cyber habits—and develop stronger cyber acumen—to keep the organization and its people safer.


Bhushan Sethi is joint global leader, people and organization for PwC.

Posted October 15, 2020 in Enabling Technology

Leave a Reply