How to Foster Secure Employee Behaviours and Manage Insider Risk
Gartner has recently released an eBook titled “4 Ways to Achieve Secure Employee Behaviours: Manage Human Risk and Build a Security-Conscious Organisation.” This eBook highlights an alarming statistic: 82% of data breaches in 2022 were a direct result of employee behaviour. As cybersecurity threats grow more sophisticated, it’s clear that the human element remains one of the biggest vulnerabilities within any organization.
In this blog, we summarize key findings from Gartner’s eBook, focusing on how businesses can address insider risk and build a security-conscious culture.
You can download the full PDF from Gartner to explore more detailed insights.
Current Security Awareness Training Issues
Despite advanced security technologies and robust protocols, employee errors—whether unintentional or deliberate—are a primary cause of breaches. Simple mistakes, such as clicking on phishing links or mishandling sensitive information, remain widespread. In some cases, employees intentionally engage in risky behaviours for personal gain or other malicious reasons.
Gartner’s data reveals that:
- 93% of enterprises use phishing simulations.
- 92% employ training modules to boost security awareness.
Yet, despite these efforts, 69% of employees admitted to bypassing cybersecurity guidelines in the past year, and 65% opened emails from unknown sources. These figures suggest that while awareness is important, it is not sufficient to combat risky employee behaviour.
Gartner’s Four-Part Strategy – More Than Awareness
To address these challenges, Gartner proposes a new, human-centered approach to insider risk management. By understanding the factors that influence employee behaviour, organizations can foster a culture that prioritizes security. Here’s a breakdown of Gartner’s four-part strategy:
1. Rescope Security Programs
Traditional security programs often focus on compliance, but Gartner recommends shifting toward a strategy that emphasizes behavioural change. Organizations should redesign their security programs to include metrics and initiatives that build a security-conscious culture, ensuring that employees not only understand the rules but also internalize them.
2. Leverage the PIPE Framework
Gartner’s PIPE framework—standing for Practices, Influences, Platforms, and Enablers—serves as a foundation for developing a Security Behaviour and Culture Program. This model helps organizations create environments that encourage secure practices and reduce avoidable risks by aligning human behaviour with cybersecurity goals.
3. Integrate UX into Cybersecurity Controls
Employee behaviour often reflects frustration with security measures that are cumbersome or obstructive. By designing intuitive, user-friendly cybersecurity controls, organizations can reduce friction, improve compliance, and minimize the likelihood of employees bypassing these measures. Simplified processes mean fewer mistakes.
4. Design Role-Relevant Learning Experiences
A one-size-fits-all training program is often too generic to address specific security risks employees face. Gartner recommends tailoring cybersecurity training to reflect the real-world scenarios employees encounter in their roles. This customization not only makes the training more relevant and engaging but also highlights the consequences of poor security decisions in a way that resonates with each employee.
Building a Security-Conscious Culture
Insider risk is one of the most critical cybersecurity challenges facing businesses today. But with the right strategies, organizations can foster behavioural change and mitigate the risks associated with employee actions. By adopting Gartner’s human-centric approach, organizations can move beyond basic awareness training and create a security-conscious workforce that acts as a first line of defence against both accidental and deliberate threats.
At DataUP, through our partnership with Halodata and other key vendors, we are well-positioned to help you implement these behavioural change strategies within your organization. If you’re ready to build a security-conscious culture and reduce insider risk, reach out to us today to discuss tailored solutions.
For more IT and Cyber security news,