How to mitigate employees’ risky online behaviour

For modern workplaces, it’s essential to be online. However, there are risks involved, as security breaches can become an issue if the right training is not implemented.

Human error accounts for 82 per cent of data breaches, according to the 2022 Verizon Data Breach Investigations Report. This is why proper training is crucial to protecting businesses’ assets.

“With the proliferation of social engineering attacks, employees continue to be the biggest risk factor. However, with proper training and coaching, they can become a human firewall and your last line of defence,” said Stu Sjouwerman, KnowBe4 chief executive.

There are various risks that can emerge if action is not taken, said KnowBe4’s APAC security awareness advocate, Jacqueline Jayne.

“The most significant danger of these behaviours is that they put the organisation at risk of a cyber breach. It is well known that a cyber incident can negatively affect an organisation’s stock price, especially in the short term.

“According to the Harvard Business Review, publicly traded companies suffered an average decline of 7.5 per cent in their stock values after a data breach, coupled with a mean market cap loss of $5.4 billion,” said Ms Jayne.

“Beyond the impact of fluctuating stock prices, a cyber incident will directly consume a company’s resources, leading to an increased cost of doing business. In 2022, the global average data breach cost reached $4.35 million.”

These expenses include ransom payments and lost revenues to business downtime, remediation, legal and audit fees, Ms Jayne noted, adding that “the potential reputational damage from a breach is impossible to measure”.

“Sadly, many SMBs will not recover from a cyber incident making the need for awareness more critical,” she said.

With this in mind, there are some effective strategies to secure the online presence of an organisation. This begins with training and awareness, said Ms Jayne.

“The most effective way to mitigate that risk is by providing employees with ongoing, relevant, and engaging training and an opportunity to demonstrate their learning with simulated phishing emails. Awareness of the potential dangers is the only way to mitigate these risky behaviours,” she explained.

“It is also important for employers to create relevant policies around what is and isn’t acceptable behaviour online and ensure you communicate them across the organisation.

“For employers, I recommend they enable multifactor authentication (aka MFA or 2FA) wherever possible, start to use a password manager, use a virtual private network (VPN) when using free Wi-Fi and ensure their software is patched on all their personal devices.”

While it may seem tempting to ban certain websites and activities, the current world of work contradicts this as the lines between work and home have faded. This is why training and awareness are so important.

Ms Jayne continued: “The best practice is to first explain the risk factors to employees and then roll out a ban on visiting certain websites from work devices. For example, I work from home and I have my work laptop and a personal laptop on my desk. If I need to do something of a personal nature, it’s done on my personal device.”

“Yes, the transition from doing everything from the work device takes time to happen as this is a big change of behaviour that will require a change management approach to keep the potential issues at bay. As we know, if a blanket ban on certain activities and websites on work devices occurs overnight with no communication, there will be more issues to deal with, such as employee backlash, and no one wants that.”

She concluded: “There will also be the requirement for exceptions which will all be different and specific to organisations to consider with a ban or block. In most cases, if approached correctly, employees will understand the reasons why and at the same time might think twice about visiting these risky sites on their personal devices too.”