5 ways to avoid employee resistance to security initiatives

If there's one thing holding businesses back from achieving high cyber-resilience, it's employee resistance to security initiatives. Why? Because the value of strong cybersecurity policies and controls implodes the second an employee decides to circumvent them. There are, of course, ways to avoid this. Here's 5 of them.

One thing is being aware of your cyberrisks and knowing how to fix them. That’s challenging inofitself. Another painstaking thing is convincing employees to get onboard with your security policies. 

Because if there’s one factor preventing businesses from succeeding with their security measures and becoming cyber-resilient, it’s lack of employee buy-in for security initiatives, policies and controls.

Why employees resist security policies

"I'm hired to do my job, not follow security policies."

Today, employees have plenty of good reasons to resist new security initiatives. First of all, they’re paid to produce, not protect. Their number one job is to do their job, not sacrifice productivity for the sake of adhering various security protocols. This naturally gives them an incentive to prioritize productivity over security. And who can blame them. Businesses reward people who deliver, not people who follow policies.

"Security policies are too restrictive."

Secondly, it’s fair to say that most workers see security measures as a hindering force, not a productivity-boosting one. Generally, traditional security initiative restrict users in their ability to work freely and without constraints. They limit users access to various sites and tools, require them to request access permissions, and more often than add extra, time-consuming steps to a proces that would otherwise have been easy to complete.

"What's in it for me?"

Thirdly, employees resist security initiatives because they don’t see how the given solution benefits their own workday. This is critical. How are you going to convince employees, who are paid to produce, to go out of their way to follow certain security measures, if they don’t see the value of doing so? If there’s no direct benefit to the individual, they’re prone to slack on their behaviour or bypass the securit controls to get work born, ultimately creating a huge security vulnerability.

So how do you avoid this? How do get buy-in from your employees on new security initiatives and prevent policy violations?

5 ways to avoid employee resistance to security initiatives

1. Choose cybersecurity champions

Introduce a few select employees to the new solution before a wider roll-out. These champions can help explain the value of the solution, and help others adopt the tool. They can also catch potential user problems prior to a org-wide roll-out.

2. Give more insight into the "why" behind the initiative

No employee cares about security as much as you do. But this isn’t to say that they don’t want to contribute to the safety of the company. Give them more insight into the cyberthreat and explain to them exactly why this new initiative is important, and how they can contribute to its success.

3. Make it easy to be secure

Awareness and preparation are never enough. Some people will always take the path of least resistance, even if it means sacrificing security for productivity. Therefore, choose security tools and initiatives that make working securely, easier, not more complex.

4. Listen. Listen. Listen.

Ignoring your employee’s needs and opinions is a sure way to fail any new security initiative. Cybersecurity is often a cause of internal conflict, as it’s easy to blame others for failing to uphold high security standards. But remember that your employees’ behaviour is the key to security success. So, ask them for their opinion. Hear what they have to say. And listen, listen, listen. 

5. Only buy the tools you need

Choose solutions that do what they need to do. And nothing more. Enterprise-level IT platforms have a million features. But you’ll probably won’t 85% of them. Ever. This is not just a waste of resources, it also makes cybersecurity unnecessary complex.

The best thing IT responsible can do to prevent employee resistance

Reducing employee resistance to security initiatives is not something you achieve in one day.

The best thing you can do as a company and IT responsible is to put yourself in the shoes of your employees and try to understand their motivations, and how you can align your security strategy and initiatives with them.

And that takes time.

 

Suggested articles

Access Management

5 ways to avoid employee resistance to security initiatives

Ransomware, social engineering attacks, phishing campaigns. The cyberthreat is everywhere. While these forms of cybercrime threaten the livelihood of companies worldwide. Something as benign as passwords still represent the biggest cyber risk facing companies in 2022.

Read more »
Access Management

How to keep company data safe when an employee leaves

Most companies don’t have a formal process for safely offboarding former employees, leaving them open to data leaks by malicious actors. Here’s how to prevent terminated employees from putting your company’s security at risk by accessing private company data after the end of their employment.

Read more »