The Harvard Business Review conducted a survey of more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the duration of two weeks. 

Employee Stress Leads to Failure of Cybersecurity Policies

HBR found that across its sample, adherence to security conventions was intermittent. During the 10 workdays HBR studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks.

But what led to those breaches in protocol? When asked why they failed to follow security policies, the participants’ top three responses were: 

  • “to better accomplish tasks for my job” 
  • “to get something I needed” 
  • “to help others get their work done” 

These three responses accounted for 85% of the cases in which employees knowingly broke the rules. In contrast, employees reported a malicious desire to cause harm in only 3% of policy breaches — making non-malicious breaches (i.e., those motivated purely by the need to get work done) 28 times more common than retaliatory ones.

A Paradigm Shift in Cybersecurity Philosophy

Against this backdrop, the imperative for organizations to fortify their cybersecurity measures becomes even more pronounced. In the modern cybersecurity landscape, where every employee potentially serves as a threat vector, the need for technical and business leaders to comprehend the underlying factors contributing to non-compliance is paramount.

The Harvard Business Review’s analysis underscores a paradigm shift in cybersecurity philosophy, suggesting that security policies should not solely concentrate on repelling malicious attacks. Instead, they should acknowledge the nuanced reality that many employee-driven breaches stem from a genuine attempt to strike a delicate balance between the imperative of security and the demands of productivity.

What Organizations Can Do

In the modern cybersecurity landscape, every employee is a potential threat vector. In order to safeguard their organizations effectively from employee stress, leaders in both technical and business domains must possess a comprehensive understanding of the factors that can render individuals vulnerable to disregarding policies, thus inadvertently creating openings for potential attackers.

As the Harvard Business Review explains, “Rather than focusing on malicious attacks, security policies should acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity.”

Apono Solution

While it can’t eliminate stress, Apono can make sure that stressed employees don’t have standing access to important resources. Instead, employees must request time-bound access to what they need.

Apono delivers cutting-edge least-privilege access management solutions, offering a suite of sophisticated tools that elevate access control through dynamic mechanisms. At the heart of Apono’s comprehensive platform lies a commitment to revolutionizing access management practices, empowering organizations to navigate the intricate landscape of cybersecurity with unparalleled efficiency and precision.

Central to Apono’s arsenal of capabilities is the integration of Just-In-Time (JIT) access, a transformative feature that enables organizations to transcend traditional access models. This dynamic mechanism ensures that employees only acquire access privileges precisely when needed, mitigating the risks associated with prolonged or unnecessary access rights. By embracing JIT access, organizations can bolster their security posture by minimizing the window of vulnerability, strategically aligning access privileges with the ebb and flow of operational demands.

Complementing JIT access is Apono’s robust implementation of Attribute-Based Access Control (ABAC), further fortifying its position as a trailblazer in access management solutions. ABAC introduces a layer of granularity and sophistication by factoring in various attributes, such as user roles, attributes, and environmental variables, in determining access rights. This nuanced approach allows organizations to craft a more fine-tuned and adaptable access management strategy that responds dynamically to contextual factors, fostering a security framework that is not only robust but also inherently flexible.