A SCARS Position Statement – September 1, 2020
In a recent conversation with a leading cybersecurity training company, we explored the predominant notion that employees who fail to follow corporate policies and procedures, that lead to cybersecurity breaches are reckless, negligent, and at fault. Increasingly, we have seen that companies are holding their employees financially responsible for mistakes that allow for cyber-attacks to get through defenses, such as phishing scams, business email compromise scams, ransomware attacks, etc.
However, is this view correct?
Or is it, in fact, decreasing security by forcing employees to be fearful of cybersecurity as a threat to their own well-being and employment?
I am a Director of the largest cybercrime victims’ assistance organization called SCARS (www.AgainstScams.org) and I would argue that everyone who falls for scams – either personally or in a corporate context are victims, and deserves consideration as a victim.
Additionally, I would argue that companies that fail to recognize this fact are undermining their own efforts to create a more secure environment.
Far too often corporate cybersecurity policy-makers devise policies that attempt to impose liability on their own employees for their failures. Such liability can include sanctions from loss of employment to several financial liabilities. In fact, in recent years we have seen companies suing their own employees for BEC scam losses. However, blaming the victim is never a way to stop incidents from happening.
The reality is every employee is just a human being and in the case of scams, social engineering is far more powerful than individuals in most cases. Policies that fail to recognize this are doomed to failure. No one can simply mandate perfection under threat from their employers. It just does not work.
Boards across all industries must recognize that their employees are not the problem, though they are a vulnerability. And when they are attacked they are victims every bit as much as the business or institution itself. By recognizing this simple fact, organizations can begin to better understand that they and their employees are unified in their inherent vulnerabilities and can address them more collaboratively, instead of an imposition from the top down.
This is important, not only from a prevention perspective but especially during the mitigation of an attack in progress. If employees feel that they will be targeted by their employer for cybersecurity breaches, they are less likely to actively participate in remediation during and attack, and in fact, may hide essential evidence in an effort to protect themselves or claim they were not involved. It may result in employees being more likely to cover up incidents and not involve cybersecurity specialists immediately when time is of the essence. This costs critical time when it is needed most. It also creates an “every man for themself” mentality, instead of an “all for one” approach.
Post-incident we see all too often that the employees involved in these incidents are condemned by other employees and management, defamed, and even potentially referred to corporate legal for action. This creates a climate of fear following cyber-incidents instead of focusing everyone’s attention on future prevention. It can also significantly traumatize employees causing loss of future effectiveness and eventual departure from the organization.
Human beings will always be vulnerable to social engineering – all of us are. Developing protective behaviors against it takes more than a policy and a couple of hours of mediocre training on the subject. It is necessary that employees be shown how social engineering actually works on them, their friends, their families, and societies. With an understanding of the real mechanics, employees become empowered to see their vulnerabilities clearly and are much more willing to adopt new defensive behaviors. This removes the climate of cyber-fear and replaces it with a shared comprehension of the need for unity and mutual support. Every employee will make mistakes, and instead of focusing on blame, every organization should recognize this as a fact.
Organizations need to recognize that their employees are every bit as much a victim when these attacks occur as the organization itself. When companies can make this leap to recognize this then they can truly take a giant step towards full sharing of responsibility for prevention, mitigation, and post-incident recovery.
They must also recognize that employees, as victims, also need help after an incident.
Cybercrimes traumatize their victims, in some cases profoundly, and just like with physical crimes employees can be in need of professional support. However, the anticipatory fear that organizations impose on their employees through their policies and threats of financial or other liability only adds to the trauma after the fact. Human Resource departments need to be part of these conversations and recognize that like any crime victim, cybercrime victims need and deserve compassion and support and not condemnation and accusations. Not only because of the trauma imposed by truly reckless accusations but also because this creates a hostile working environment that can bring the liability back onto the company itself.
Our organization understands the fundamentals of cybercrime victims and strives to expand the role of victim support in all aspects of post-cybercrime remediation. This notion of an employee as a victim is far from obvious for most of the corporate world. However, by adopting this posture, enterprises can better obtain the cooperation of employees in identifying vulnerabilities, better mitigating attacks, and reducing the traumatic impact on the organization and its employees. All of which leads to a more secure environment.
We welcome the opportunity to share this view and are open to helping organizations better understand it. Businesses and institutions are welcome to contact our nonprofit about how we can help you better understand the psychological impact of scams and how empowering your employees to be part of the solution instead of being viewed as the problem – will help them achieve better, stronger, and more robust cybersecurity. However, our mission is to support scam victims whenever and wherever we can.
We hope that you can understand this shift in view and can find ways to internalize it in your own organizations. We are here to help.
Tim McGuinness, Ph.D.,
Society of Citizens Against Relationship Scams Inc.