The Great Resignation is a term that infiltrated into our language due to the number of employees leaving their jobs in the past year. Whether it’s either due to COVID work patterns, other companies vying for professionals offering better packages, or just Gen Z being in the pursuit of increasing the digital nomads community, the number is massive.
According to McKinsey’s research, More than 19 million US workers—and counting—have quit their jobs since April 2021. 19 million, that’s more than 10% of the entire American workforce. Here are the most affected industries: 79% turnover in the leisure and hospitality industry; the professional and business services comes second with 63.5%, and the information industry with 38.5% turnover rate. Whether those are the accurate industry rates, or whether they are slightly off, the indication is “a lot”, or sufficient enough for us to pay attention when it comes to security breaches.
Old Habits vs. New Cultures
New blood that comes into the organization brings in their work ethics. While these talents may be top notch, they may inadvertently be misaligned with the company’s culture and policies.
Here are some examples:
- Sales people who are accustomed to sending information to prospects provided to them via playbooks or slack may disregard labels such as “For Internal Use Only” written on documents. For them it’s just white noise, they don’t even notice it.
- In another case, a new customer service employee, who served for years in the retails industry, now working within an organization governed by HIPPA, may inadvertently send sensitive information via email.
- An employee working from home deciding to go work at a local café, or from abroad, may connect to public wi-fi’s, allowing for full permissions without understanding their ramifications.
In each such case, due to prebuilt reflexes, employees may cause data breaches, data loss, or fall prey to phishing attacks that ask them for information. Training away from those automatic responses simply takes time.
According to a study published by CheckPoint in 2021, an organization with 20,000 employees, exchanging roughly 12 million emails per month, with all cyber defense technologies in place, will still have a vendor miss rate of 1.23%. This means that the organization will have a miss rate of 146,700 attacks per month, while having best cyber defense technologies in place.
In 2022, the numbers are higher.
Alas, it’s not a function of “if”, it is a function of “when”. The faster the IT department embraces it, the better preventive measures can be taken.
Preventive Measures to mitigate risk, fast.
The following suggestions are based on the assumption that you have a security awareness program in place and wish for it to be more effective and yield faster results.
Creating a dedicate security profile for a limited term
Creating a designated security profile of a limited term of about 3 months allows to easily onboard new employees into a more intensive program without making them feel they’ve done something wrong. It also allows you to focus your training efforts at high risk employees and focus on the specific traits that may cause harm. Within this period, try to maintain at least twice a month phishing simulation training with immediate feedback, and ongoing training, such as newsletters, focused on subjects relevant to new employees entering a new workplace
Divide and Conquer
An organization will often consider its turnover rate holistically, often disregarding that there are departments where the turnover ratio is higher than others.
In order not to overburden the entire organization with excessive security awareness training, check to see what departments have a disproportionate turnover rate compared to the organization’s rate. In many cases, you’ll find that dealing specifically with one specific department can quickly mitigate overall company risk. If this is the case, consider analyzing your phishing simulations per department and intensifying training efforts there. Given the limited resources security teams have, starting with higher turnover departments allows for better usage of your resources.
Help leaders lead
Security is a profession with a very wide control span. As a security professional, you impact the whole organization and require everyone’s attention and participation, yet you usually get to manage a relatively small team. Nonetheless, security is also the responsibility of every single manager in the organization and sometimes, this might be forgotten. One way to cope with employee turnover and limited resources is to help leaders lead cyber hygiene practices within their departments.
You can achieve this by building trusted relationships, starting with sharing a little data on how training goes and their department performance. As everyone is busy achieving their own business goals, providing department heads with some lightweight understanding of their department’s security risk analysis can go a long way in harnessing them towards leading the security within their units. Tied effort will help the organization achieve risk mitigation faster.