A recent article on HR magazine, People Management, debated whether an employee's role in a cyber security breach could be justification for disciplinary action.
Drawing on the evolving working landscape, the discussion explored how the geographic disparity of teams today has created a more vulnerable environment for sensitive data to be stored and accessed. But with so many variables to consider in the event of an attack, where should the blame be directed? And is disciplinary action really the most impactful solution?
Here, Vapour CEO Tim Mercer shares some crucial perspective…
If we know anything about cyber attacks, it’s that they’re becoming increasingly sophisticated. From phishing and malware downloads to zero-day exploits and SQL injections, perpetrators are constantly finding new avenues to infiltrate business-critical data. This isn’t just detrimental in terms of cost, but can have a harmful impact on customer and stakeholder trust too.
Of course, prevention is always better than the cure. And it goes without saying that training is a must. Employees are a business’ first line of defence, and it’s in an employer’s best interest to make productive use of this by upskilling teams day-to-day – rather than as part of a remedial solution. But accidents do happen, even with these measures in place.
Punitive action might seem worthwhile. Surely making an example of someone will cause others to become more vigilant, right? Potentially so, but it also risks scaring your staff into silence – making them too afraid to speak up if they experience a breach. And that can cause significantly more damage than if the incident was reported in the first place.
If your specialist IT team isn’t aware of a vulnerability, they can’t act quickly to secure it – leaving you open to more breaches than if the issue was resolved from the onset. Worse still, if your organisation has compliance requirements to adhere to and breaches are not being reported, this could lead to penalties and fines at a later date.
Uber is a very high-profile example, whereby former chief security officer, Joe Sullivan, was recently found guilty of actively hiding a data breach from the US Federal Trade Commission (FTC) and concealing a felony. This doesn’t just show disciplinary action as a potential consequence of slipping up, but severe criminal conviction too.
There will be instances where an employee intentionally weakens tech infrastructure, releasing sensitive data with a purposeful and calculated act. And these are absolutely grounds for dismissal, if not more severe action. But it’s important to tread lightly before making any kind of accusations.
Vapour has been supporting organisations large and small with end-to-end cyber security protection for almost ten years. With clients spanning sectors from automotive and construction to property and waste management, our expertise is vast and varied.
Why not get in touch to discuss your requirements?