The Employment Appeal Tribunal (EAT) ruled in October 2018 that Morrisons Supermarkets were vicariously responsible for a data breach, in which the personal data and bank account details of thousands of employees were posted online by a disgruntled employee. This has led to a major concern on the part of many employers about what they can reasonably do to mitigate the “internal threat” whether it is by human error or malicious intent? 

A 2016 study of 874 data breaches found that less than 10 per cent were conducted by outsiders with stolen credentials – compared with 22 per cent caused by malicious employee activity and a shocking 65 per cent as a result of employee or contractor negligence. With the EU GDPR (General Data Protection Regulation) now in force, organisations could be faced with fines of up to €20 million or 4% of annual global turnover for certain infractions. There are also non-financial costs to be considered, such as reputational damage and loss of customer trust.

Robust cyber security involves implementing controls that are based around three pillars: people, processes and technology. This three-pronged approach helps organisations defend themselves from both highly organised attacks and common internal threats, such as accidental breaches and human error. IPA has developed a training programme which is aimed at strengthening this first pillar – people. It is vital that every employee is aware of their role in preventing and reducing cyber threats. At the same time, the specialised technical cyber security staff within any organisation need to be equipped to explain the processes and technology to their non-technical colleagues and – equally importantly, why they need to use them in their daily job roles.  Cyber threats change quickly, and processes need to be continually reviewed to be able to adapt with them and this is why organisations need adaptable employees who are engaged with their organisation and the challenges it faces.

The essence of employee engagement is that given the right circumstances, employees will be prepared to 'go the extra mile' in the service of their organisation. The four key enablers (Leadership, Engaging Managers, Integrity and Informed Voice) are well known to regular readers but it is clear that all have a role to play in ensuring any organisation’s cyber security.

An engaged workforce is probably the best friend a senior manager can have when trying to lead their organisation through challenges and change. Supporting it, enabling it, and listening to it, may provide one of the best returns on investment it is possible to make. A workforce that feels they are listened to by management in a respectful way are far more likely to head off a major security incident which could cost the organisation dearly.  Having an engaged and informed workforce also makes it easier to secure buy-in to the cyber security objectives and to ensure colleagues are more likely to listen when organisations explain security protocols to them.

The key challenges for managers, and the areas they need support in include:

• How to engage employees in fighting the cyber-security threat
• How to effectively communicate the importance of cyber security and processes
• Understanding the role of staff involvement in reducing the cyber security threat
• Understanding the importance of training and encouraging adjustments to change peoples’ skillsets

Ultimately, an informed employee voice acts to strengthen organisational resilience. Moreover, an engaged workforce with a meaningful voice will support an organisation undergoing periods of turbulence, either as a result of internal change programmes or external pressures. A disengaged workforce that lacks a proper mechanism for meaningful dialogue will instead exacerbate those pressures as they look for means to vent the frustrations that they have no legitimate means to express.

It is critical, therefore, that managers at all levels become aware of these links between cyber security and employee engagement – if this does not happen, who will be next to face the EAT?

Derek Luckhurst is Training and Development Director at the IPA

IPA have been working with the National Cyber Security Centre at GCHQ to develop a training product around the human element of cyber security. For more advice and information about how the IPA could help you with cyber security issues through workforce engagement, please get in touch via the details below.

[email protected] 

07780 697024