Digital tools and technology play a central role in the modern employee experience, now more than ever. Employee Experience (EX) refers to the interactions between a worker and their co-workers, leaders, and organisation, encompassing the human, physical, digital, and organisational work. EX considerations are critical to attracting, retaining, and engaging employees to create (and maintain) a cyber-resilient culture. While digital tools support workers in achieving greater flexibility, they expose the organisation to additional cyber risks.

Organisations should strive to achieve a balance between cybersecurity and employee experience. Highly secure systems are likely to have poor user experience which can result in employees bypassing the controls. On the other hand, user-experience driven systems are less likely to be designed for a positive user experience which can result in employees bypassing the controls. On the other hand, experience driven systems may fail to meet the security needs of the organisation. Access to sensitive information and processes (privileged access) is another keyarea for consideration when trying to achieve the optimum balance. Ultimately, the EX and security landscape must align with the risk appetite of the organisation. This can be achieved by tying cyber awareness to the three stages of the employee lifecycle: join, develop, and offboard.

Join

New employees are more susceptible to phishing attacks than other employees¹. Unfamiliarity with protocols, pressure to make an impact or lack of awareness of how to securely navigate internal systems can all lead to increased cyber risk. As a result of the 2021 post-pandemic ‘Great Resignation’, 41% of US employees are expecting to change roles in the next year². Put simply, this increase in joiners, movers and leavers introduces increased cyber risk for organisations. Onboarding is the optimal time to set the tone for your cybersecurity expectations:

Security Awareness Training

Prompt an open conversation; identify and encourage cyber conscious behaviours relevant to your organisation, and ultimately help embed a cyber-secure culture from Day 1.

Threat Awareness

Employees should be made aware of Threat actor techniques.With phishing attacks on the rise, it’s important that employees recognise fraudulent emails. It’s not enough to not click the link, employees must report the email too. Therefore, it’s crucial that organisations facilitate a straightforward way to report worrying emails and communications.

Develop

Turn your weakest link into a key cyber defense. Organisations must adopt targeted interventions and a continuous-improvement mindset to help employees understand the importance of their role in cyber defense.Learning and development programmes should focus on employees developing sustainable cybersecurity knowledge throughout their career. Some key considerations for ensuring consistent cyber awareness training are outlined below:

Adaptability is key

Threats evolve, so we need to evolve too. Design an effective and continuous learning journey that combines culture and strategy and goes beyond ineffective ‘tick-the-box’ compliance training.

Organisations can keep learners engaged and keep cyber awareness top-of-mind by making the learning experience fun, for example by gamifying the experience by keeping a scoreboard of test phishing emails reported. This could help garner the attention of the learner.

Proactive, not reactive

Increasingly, attackers are leveraging social engineering techniques; training must be continuous, agile, and adaptable. Employees need to be made aware of the importance of being proactive with emphasis on time-sensitive actions e.g. flagging incidents or reporting phishing emails.

Offboard

Employee offboarding processes are conducted to mitigate cybersecurity risks such as data loss, compliance violations and confidentiality breaches. To combat these risks, organisations should make employee offboarding a priority by putting the right process in place. Consider the following elements:

Conduct an exit interview

Ensure that employees have their voices heard and can leave on a positive note, which can help lessen the risk of employees seeking to take information. It also provides an opportunity for key security processes such as returning devices to take place.

Revoke access to applications and services

Revoking access to applications and services ensures that the employee’s account cannot be used to access internal applications and services after the employee has left the organisation or team.

As workers increasingly connect and work remotely, it’s essential that organisations identify and manage these cyber risks. The best return of value on your investment in cybersecurity is realised when people, processes and technology are aligned. By building cybersecurity into the employee lifecycle, you can empower employees to be part of the solution. Stay tuned for our final blog in this series where we discuss the unique cybersecurity challenges presented by emergent hybrid work practices.

Have you considered: Where does cybersecurity tie into your organisations’ current employee lifecycle? It it effective?

References
1 Williams, 2018 https://www.sciencedirect.com/science/article/pii/S1071581918303628
2 Gallup, 2021 https://www.gallup.com/workplace/351545/great-resignation-really-great-discontent.aspx

Deloitte can help by looking at your business objectives and then customising, identifying, priortising and implementing processes and solutions to maintain a consistent approach to mitigating the cybersecurity risks organisations face. Cybersecurity threats are constantly evolving; we go beyond addressing the challenges of today to help organisations embed sustainable solutions to prepare for the challenges of the future. Reach out for more information or please visit our Cyber Transformation page.