De-shaming Cybersecurity Mistakes Can Help Prevent a Hybrid Work Disaster

This article is part of the Crunchbase Community Contributor Series. The author is an expert in their field and a Crunchbase user. We are honored to feature and promote their contribution on the Crunchbase blog.

Please note that the author is not employed by Crunchbase and the opinions expressed in this article do not necessarily reflect official views or opinions of Crunchbase Inc.

Hybrid work will bring new cybersecurity challenges — and it already has. Employees may use unsecured Wi-Fi outside of the office, bring personal devices back to the office, or fall for email scams that take advantage of the transition. To prevent a costly data breach, business leaders must create a culture that encourages employees to report mistakes, like clicking on a suspicious link, instead of shaming them. 

This summer’s Kaseya cyberattack was the single largest global ransomware attack on record. When employees tried to warn company leaders about major cybersecurity issues before the attack, they were either ignored or fired. This is deeply concerning. It’s clear that this type of punitive response is not only ineffective but harmful.

Read Crunchbase’s report: The Rise Of Global Cybersecurity Venture Funding

Let’s face it: employees are going to make mistakes, break the rules, or be tricked by cybercriminals. But a culture of shame and punishment isn’t helping anyone. During the disruptive transition to hybrid work, businesses must evolve their security culture toward transparency and collaboration while enlisting employees as part of the solution. Here’s how:


Employees fear admitting to mistakes

Human error continues to be the leading cause of data breaches. These mistakes are often unintentional, like sending an email to the wrong person, but can get data into the wrong hands. For example, when an employee at a gender identity clinic in the UK CC’d email recipients instead of BCC’ing them, they exposed the personal information of 2,000 people. A breach like this could lead to loss of customer trust and potential regulatory fines.

Unfortunately, employee mistakes are often invisible to IT and cybersecurity teams. A report from Tessian found that over a quarter of employees admitted to making cybersecurity mistakes while working from home that they say no one will ever know about. This means that if employees don’t admit to their mistakes, an organization may never know about a breach. 

More than one-quarter of employees said they failed to report cybersecurity mistakes because they feared facing disciplinary action or being required to take more security training. When it comes to receiving or clicking on a phishing email, only half of those surveyed said they always report it to IT.

If employees don’t share mistakes or suspicious activity, businesses can’t fully understand their level of risk. This could have particularly high consequences amid the cybersecurity challenges brought on by hybrid work. 


Hybrid work could create new risks

A majority of IT leaders fear that ransomware and phishing attacks will rise with hybrid work. In fact, these attacks have already started. Cofense found a phishing attack impersonating a CIO that welcomed staff back to the office and asked them to provide login credentials.

Meanwhile, employees have picked up poor cybersecurity habits while working from home and may bring them back into the office. A report from Tessian found that two in five employees (39 percent) said the cybersecurity behaviors they practice while working from home differ from those practiced in the office. Half admitted it’s because they feel they were being watched by IT departments in the office. For example, employees may have grown used to using software and programs that aren’t company sanctioned. 

Many employees have been working on personal devices like laptops and cellphones that aren’t as secure as company devices — and expect to continue using them in the office. Forty percent of employees said they plan to work from personal devices in the office. 

These changing dynamics make it crucial for organizations to educate employees on relevant cybersecurity threats and build a culture where employees are part of the solution. 


IT teams must be partners, not punishers

Instead of punishing or shaming employees when they report cybersecurity mistakes or vulnerabilities, IT teams must encourage it. Even better: reward those who do come forward. In a recent podcast interview I recorded, information security analyst Tracy Z. Maleeff told me she sends employees a ‘cyber cupcake’ when they report phishing emails. Find creative ways to positively reinforce this behavior and make it clear that everyone in the company is part of a single team working to prevent a breach.

I’ve also seen leaders use gamification to encourage an open cybersecurity culture. For example, creating a points system that rewards teams for sharing vulnerabilities or speaking up about an email or phone call that feels suspicious. Encourage employees to trust their gut — if something feels off, it’s worth flagging. 

In order to play an active role in cybersecurity, employees must also be aware of the latest threats. That’s why ongoing training is so important. Educate employees on the risks that are specific to their job function, tenure, or location using real-world examples. This way when they see suspicious activity or are about to make a mistake, they’ll be able to recognize it. 

IT teams can’t prevent a breach if they don’t know about it, nor can they take action to ensure other users haven’t been compromised. This makes employees a crucial layer of business security. A strong cybersecurity culture can help organizations navigate the new challenges of a hybrid workplace while allowing employees to work both productively and securely. 

Tim Sadler is the Chief Executive Officer and co-founder of human layer security company Tessian. After a career in investment banking, Tim and his co-founders started Tessian in 2013, creating a cybersecurity solution that uses machine learning to protect people from risks on email like data exfiltration, accidental data loss and phishing. Tim has since built the company to over 160 employees in offices in San Francisco and London, raised over $60 million from leading venture capital funds, and was listed on the Forbes 30 Under 30 list in technology.

  • Originally published August 30, 2021, updated April 26, 2023