Thought leadership

Avoiding breach blame culture

by Egress
Published on 14th May 2021

When we talk about insider threat, people’s minds are often drawn to thoughts of malicious insiders. Perhaps a disgruntled employee exfiltrating data to a new job, or someone deliberately working in tandem with cybercriminals for personal gain.

These incidents aren’t fantasy – they do occur. The daily reality though, is that most data breaches arise from human mistakes. Businesses therefore have a ‘carrot or stick’ decision to make: do we reprimand people who endanger company and client data, or do we create a culture where they feel empowered to come forward and get help?

The right solution is of course the latter – and it starts with understanding why people cause breaches in the first place. We can then use technology to help create a blame-free environment where everyone is pulling in the same direction regarding data security.

Why people cause breaches

Accidental data loss from non-malicious insiders is far more common than intentionally malicious activity. Even phishing attacks, which originate from an external source, still require an honest mistake from an insider to cause a breach. Some social engineering attacks are so sophisticated, even a well-trained and diligent employee can fall victim.

The mistakes that lead to breaches are normally made by people who are stressed, under pressure, not trained properly, or unfamiliar with best practice. It’s when people are in these states of mind that they misdirect an email or fall for a phishing scam they normally would have spotted.

There’s no doubt that remote working during the pandemic has exacerbated the issue. People are under more stress, tend to have more distractions within their homes, and are working on unsecured personal devices and routers. Egress' Data Loss Prevention Report backs this up, showing that 59% of IT leaders have seen an increase in data leakage via email since the pandemic started.

Fallout from a data breach can be serious in terms of reputational damage, regulatory penalties, and loss of clients. They aren’t incidents that organisations can afford to go unreported. So how do businesses ensure everyone is reading from the same page?

Creating a culture of trust

Trust plays a vital part in almost every aspect of our lives. There are plenty of situations where we have to figure out who can and can’t be trusted. At work, it’s important to create a culture where people can trust each other and work together to keep data safe.

Many organisations rely on a system of self-reporting when it comes to breaches. However, if they have fostered a blame culture, many incidents may be going unreported. If someone sees a colleague fired or reprimanded for misdirecting an email – are they going to report the next incident where they may have been at fault? Or say nothing and hope no damage comes of it?

It’s only human to make mistakes, and even a careful, considered worker can slip up on a particularly stressful day. It’s far better to create a culture where this person alerts their security team straight away, knowing they won’t get in trouble. Their first thought would be about preventing a data breach incident, rather than panicking about what will happen to them personally.

The onus is on security leaders within organisations to create this atmosphere by giving people the right tools to do their jobs and prevent them from causing breaches. It’s not in the best interest of a business or its employees to make it difficult or frightening to report a breach.

Technology as a guardrail

We’re sending more digital communication than ever. But shutting these channels down is not the answer – neither would it be practical in a world where remote working is here to stay for so many businesses. Instead, people need to be guarded by good security and trusted to do the right thing.

Some employees might initially be wary of security technology, believing it’s there to police them and catch them out when they make mistakes. Certain traditional security technology can also dent productivity, leading to security fatigue and people taking short cuts. However, this doesn’t have to be the case.

Intelligent data loss prevention, otherwise known as human layer security, uses machine learning to adapt to each individual user’s working behaviours and patterns of communication. This means it’s able to catch everyday context-driven mistakes such as attaching the wrong document to an email or sharing sensitive data with the wrong client.

Human layer security is not there to catch people out and blame them, but to be used as a guardrail that helps employees to do their jobs safely. It complements a trust-based culture, making employees feel empowered to share content without risk.

Interested in learning more about the psychology behind why we breach, and how to predict and prevent insider threat? All of our sessions from ‘Human Layer Security Global’ are now available to watch as on-demand webinars.