olly - stock.adobe.com

Users love their cyber teams, but find them frustrating

Despite strong support for security teams, a good number of ordinary workers see them as obstructive to business goals, and would like to see them operate more transparently

While ordinary workers implicitly trust their security teams when it comes to their ability to prevent and minimise cyber attacks, a significant minority see them as inclined to obstruct everyday business goals and would like to see more transparency from those tasked with keeping them safe, according to a study conducted by CybSafe.

CybSafe’s survey probed user attitudes towards security professionals in the UK and the US, and found evidence that more could be done to improve how security teams relate to the wider workforce.

CybSafe’s CEO, Oz Alashe, said: “While most appreciate the important work cyber teams at enterprise organisations do, it’s essential to reflect on gaps hampering communication with the wider workforce. People want better resourcing and more empowering, personalised assistance to help improve organisational security.

“While communication of any kind can be difficult in larger corporations, those who can develop a frictionless and accessible way to engage their workforce in cyber security practices can significantly enhance their organisation’s resilience to cyber threats.”

Some of the frustrations highlighted in the report relate to hybrid workers, whose numbers have vastly increased in the wake of the Covid-19 pandemic. Given their need to access IT systems and tools from wherever they may be, cyber protocols designed for centralised, pre-Covid offices can feel restrictive to hybrid workers, and 26% of respondents to the study said security systems often slowed or blocked their ability to work effectively.

The prevalence of the old ways also contributed to the fact that 25% of employees viewed security personnel as intrusive, while 24% said their personal work objectives had been hindered and 38% felt obstructed from performing their core duties.

Additionally, 28% said they saw security staff as “secretive” and “removed from daily operations”, while 12% of respondents said they tended to put off reading important security emails, with 6% never opening them at all.

CybSafe said given that the vast majority of cyber attacks begin through human error, it was clear that more needed to be done to reinforce, and improve, users’ relationships with security personnel.

And respondents tended to agree – 31% wanted to see more transparency around security policy, and 41% said they would be keen to learn about more real-world scenarios that translate technical security protocols into tangible contexts, mapped to their daily working lives.

The survey also highlighted concerns over cyber security investment and training. Only 15% of respondents said they saw cyber as underfunded at their workplace, yet 45% advocated for mandatory security training and 27% believed their current training setup was ineffective.

“The views expressed by enterprise workers show people want to take responsibility and be part of the solution. However, companies need to equip them, which involves properly engaging people while measuring the impact of actions on the behaviours that reduce organisational risk,” said CybSafe’s director of science and research, Jason Nurse.

“People don’t want faceless, generic communications, but security narratives personalised and tailored to individual contexts and protocols, ultimately becoming supportive rather than restrictive.”

Read more on Security policy and user awareness