Skip to contentSkip to navigation

The Security Risk in the Cubicle Next Door

Your own employees may pose a bigger IT hazard than outside threats.

Bottom LineYour own employees may pose a bigger IT hazard than outside threats.

As laptops, smartphones, and Wi-Fi become more prevalent in the business world, so do the risks that corporate and customer data can be lost or stolen. Analysts predict the information security sector will grow into a US$125 billion industry by 2015. But no amount of data encryption or firewalls can guarantee that employees won’t misbehave. A new study says the human element is the most vital line of defense against cybercrime.

First, companies must overcome the significant difference of opinion between IT experts and the managers who make the routine decisions about their firm’s information security. One of the starkest differences revolves around the danger posed by a firm’s own employees.

The authors conducted in-depth interviews with frontline workers, managers, and information security professionals—CIOs and network administrators—at large firms in a variety of industries across the United States. Points of contention quickly emerged. For example, 39 percent of managers cited hackers as the biggest danger, whereas only 4 percent of security specialists agreed, citing threats such as Trojans, viruses, or worms as more dangerous. But in reality, a company’s own staff can be even more vexing: Almost 60 percent of security professionals pinpointed employees as the most likely source of accidental or intentional breaches.

The most essential bulwark against cybercrime appears to be a happy workforce , according to the study. The interviews revealed two factors that led employees to consciously betray their firms: the knowledge that the proprietary information in a database could be sold to competitors, or a desire to exact revenge on the company for some kind of perceived slight.

The most essential bulwark against cybercrime appears to be a happy workforce.

Draconian practices seeking to limit employees’ Internet access can often backfire if they sow bitterness. Instead, managers at all levels should appeal to their employees’ sense of obligation to protect their organization’s resources—emphasizing that other people may be harmed by their mistake. Accordingly, the authors advise, IT professionals should focus on the idea of protecting “others” rather than “the company.”


And IT experts can dampen some of their employees’ interest in financial gain by emphasizing how coworkers, customers, and employees’ own families could be devastated by a security breach, with consequences ranging from identity theft to widespread job loss.

Whether employees stay on their toes can also depend on their leaders’ attitudes. When the managers responsible for security training project an air that all is well, employees can be lulled into believing that they no longer need to be vigilant. Most important, the authors write, IT professionals should communicate the “clear message that security is everybody’s job.”

Source: “Bridging the Divide: A Qualitative Comparison of Information Security Thought Patterns between Information Security Professionals and Ordinary Organizational Insiders,” by Clay Posey (University of Alabama), Tom L. Roberts (Louisiana Tech University), Paul Benjamin Lowry (City University of Hong Kong), and Ross T. Hightower (University of Wisconsin–Milwaukee), Information & Management, July 2014, vol. 51, no. 5

Matt Palmquist

Matt Palmquist is a freelance business journalist based in Oakland, Calif.

Get s+b's award-winning newsletter delivered to your inbox. Sign up No, thanks
Illustration of flying birds delivering information
Get the newsletter

Sign up now to get our top insights on business strategy and management trends, delivered straight to your inbox twice a week.