How, and when, to hand down consequences to employees for breaching security policy

A recent study out of the U.K. suggests that organizations, fueled in part by security challenges during the pandemic, are beginning to impose harsher consequences on employees who breach security policy.

Nearly 40 percent of respondents said they had dismissed employees for such transgressions, according to the report from Centrify.

While security leaders often pay with their jobs for lapses that lead to breaches at their companies (think Target and Uber), organizations long have struggled with how to handle everyday employees who step outside the bounds of security protocols either deliberately or inadvertently.

“Handling employees that run afoul of company security policies requires walking the line between promoting accountability and enforcing standards on one hand, while also cultivating honesty and openness about activities that may present risk,” said Tim Wade, technical director, CTO team, at Vectra. Clear ramifications also “incentivizes timely self-reporting to give the security team the lead time they may need to take action before any resulting damage may be done.”

Companies typically have been hesitant to impose more severe punishment, even on the repeat offender who could become a real security and financial liability. Among the risks faced by companies that maintain a hard line are potential legal and HR ramifications, and concerns over creating a toxic corporate culture that could compromise security when employees hide risky behavior.

“For those running information security programs, sanctions for employee violations of policy are a highly-sensitive issue and should be approached carefully,” said Tom Pendergast, chief learning officer at MediaPro. “If you crack down too hard on first time violations, you become the bad guy and your efforts to build an effective security culture take a hit.”

But the results of the Centrify study indicate the pandemic – and the resultant scramble to tighten security as workforces moved home – has prompted a break with conventional wisdom and pushed companies to give their policies teeth.

“The biggest driver that we see around all of this today is the expansion of the remote workforce and the use of cloud apps across both managed and unmanaged devices,” said CipherCloud CEO and co-founder Pravin Kothari. He explained that “data protection parameters are evolving so quickly in the current environment” that end users and security practitioners alike can’t keep up.

How a company handles security policy breaches and what kind of consequences it metes out, starts with a security policy that should support business objectives, reflect corporate culture, satisfy the company’s risk appetite and incorporate the new realities of remote working remotely.

“In short, policies should be there for a reason, they should align with the risk position adopted by the business.  But that’s the easy bit,” said Steve Durbin, managing director of the Information Security Forum (ISF).

“Too often when cultural norms around security act to badger and intimidate line staff, they’re reluctant to share key indicators of phishing or social engineering that they have may been victims of, which in turn actually acts to heighten risks and undermines adherence to policies,” said Wade. “When line staff feel empowered to acknowledge and own mistakes without disproportionate punitive consequences, they are much more likely to self-report and may act as an early-warning extension of the internal security function.”

A few key best practices can help companies find balance.

Communicate policy to employees. “The trickier piece is getting people to adhere to the policy and that requires solid communication, along with explanation of the reason behind the policy, why it is important (at the individual level) and why it is being implemented,” said Durbin.

Employees are more likely to embrace security structures if they understand them, if they’re “real and not theory,” said Benjamin Corrl, chief information security officer at Coats, a multibillion global manufacturing organization, and a member of the advisory council of Cyber Risk Alliance’s Cybersecurity Collaborative. “I can’t hold them accountable for failure to meet our expectations if we haven’t clearly stated them.”

Corrl has boiled down Coats’ acceptable use policy to a single page, so employees don’t have to slog through (or worse, not slog through) lengthy guidance. He also uses employee missteps to relate policy to reality. “I don’t believe in public shaming, it’s counterproductive,” said Corrl. “But I will use [a mistake] as a teaching moment, blanking out the name [of the employee/victim] and telling people ‘this happened to us.’”

It’s important, too, to get support from the top of an organization to underscore the importance of remaining true to a security policy. “It’s a long-standing theory, that if you don’t have support from the top strata all the way down, you’re going to have a toxic culture,” said Erika Lance, senior vice president of people operations at KnowBe4.

Spell out consequences to give policy some teeth. “You can’t go with no sanctions at all, or your requests become irrelevant,” said Pendergast.

Instead, organizations should put policies and procedures in place to “classify the severity of security control violations – complete with any counseling, education and punitive measures appropriate for each severity – to guide in the aftermath of said violations,” said Adam Mathis, information security director at Red Canary. “Punitive measures are an unfortunate necessity, but should be reserved for flagrant violations and habitual offenders.”

Documenting policies early on can take “the emotion out of these decisions during what may be a high-stress event for your organization,” he said, contending that “the consequences of a well-intentioned and honest mistake” shouldn’t “vary wildly depending on the end result.”

Understand the why. Often employees break the rules when they feel security causes too much friction and slows their ability to do their jobs. “In almost all incidents involving a violation of a security control, interest should lie in the ‘why’ rather than the ‘who,’” said Mathis. “Leaders have to ask if the involved party was aware of the policy they violated or the control they subverted.”

Ascertaining if – and how – an employee did a work-around can go a long way toward preventing future security policy breaches. “When I see they were negligent and kept clicking install, I ask them if they’ve subverted a process we have in place,” and remind them that “we have a way to expedite and escalate things quickly,” said Corrl.

“In almost all incidents involving a violation of a security control, interest should lie in the ‘why’ rather than the ‘who.’ Leaders have to ask if the involved party was aware of the policy they violated or the control they subverted,” said Mathis.

That kind of reconnaissance help security teams improve awareness training and suss out whether controls are in place that could have prevented or limited the scope of the violation. It ultimately also can “empower employees to ask questions where they are uncertain,” he said.

Fit punishment to crime. “Violations of security policy can be frequent, and organizations often face having to evaluate the grey-area of intent and seriousness of a person’s actions,” said STEALTHbits Technologies Field Chief Technology Officer Gerrit Lansing. For example, installing unapproved software to listen to music and copying sensitive information to an unencrypted USB drive are both likely violations of security policy that can lead to breaches; one is objectively a more serious violation than the other.”

Unintentional failures should be addressed through training and awareness with “positive follow-up to confirm behaviors have been corrected,” reserving “formal personnel improvement plans or punitive measures, up to and including moving down the path towards termination,” for intentional and willful violations, said Wade.

More serious cases of willful negligence may warrant stiffer penalties depending on the impact of a resultant data breach or compromise.

“For low impact compromise, the willingly negligent employee might be firmly reprimanded including a documented understanding that further policy violations will result in termination,” said Melody Kaufmann, cybersecurity specialist at Saviyint.

If, instead, the employee acted maliciously, “then regardless of the damage caused by the compromise demotion or termination is appropriate,” she said. “The same is true for willingly negligent employees triggering a significant breach.”

Companies must tread carefully, though, when doling out harsher consequences in the aftermath or inadvertently shoulder blame. “The extent of the breach and potential for legal liability also is a factor in these decisions,” Lansing said.

A progressive disciplinary approach, like the one taken by KnowBe4, not only lays out policy and consequence in clear terms, but it also gives employees a chance to correct their mistakes and redeem themselves. The first three times an employee falls for a test phishing email from the company they must go through 15-, 30- and 40-minute training sessions, respectively. “By the fourth time, they get coaching, and by the fifth additional coaching,” said Lance. A sixth transgression warrants a warning followed by a final warning the seventh time out while the eighth could result in termination.

Work with HR.  Lansing acknowledges that no firm rules exist for handling violations, with solutions ranging from warnings to termination.

“The decision on what actions should be taken against an individual whose security policy violations have caused a security incident lies with HR, legal and management.”

Still, security teams often find themselves “in the role of helping HR, legal, and management understand the detail and context required to make these judgements, but almost never in the driver’s seat,” he added.

At Coats, under certain circumstances after a violation, HR may “have a separate conversation” with the employee, said Corrl. “The highly technical person is not the one to have that conversation.”

Keep policies and requirements up to date. Security policies like threats aren’t static and must reflect the reality of risks to an organization and the consequences of violations.

“The onus rests with the corporation to keep communicating, listening and enhancing/changing policies in the light of regulatory changes and employee feedback,” said Durbin, who maintains “the best policies are under constant review, take into account ongoing feedback and obsolete policies are quickly retired.”

The pandemic makes a case in point.

“With the move to increased remote work, there is a corresponding increase in phishing and business email compromise attacks,” explained Juniper Networks Vice President and CISO Sherry Ryan. “This warrants additional employee training on email threats and communications reminding employees to be vigilant and wary of email they weren’t expecting or which originates from outside the company.”

Durbin noted that in the “age of hybrid working, employers need to re-assess security risks at the personal access level.”

Security takes the lead

Ultimately, the responsibility falls to the security team to make sure employees aren’t exposed to greater risk than the company finds acceptable and that they have all the awareness training and tools they need to not fall for a security threat.

For instance, if a phishing email makes it through Coats’s controls, for example, then it represents a security failure, Corrl said.

“When considering negligence by an employee, the employer shoulders the responsibility for training and awareness. If as an employer, appropriate and sufficient training related to the violation wasn’t provided then it’s a lack of awareness rather than employee negligence,” said Kaufmann. “Organizations have a responsibility, especially in these unprecedented times to ensure employees have the knowledge to deal with likely threats.”

Leave a Reply

Your email address will not be published. Required fields are marked *