Employees are the Biggest Threat (and the Best Solution) for Information Security

Most Information Security professionals have said the following at least a dozen times: “It doesn’t matter how much we lock down our technology. Employees balk at password changes or they’ll open unknown attachments without thinking. If our people won’t change their habits, we’ll forever be vulnerable to attack.”

Did you know that 43% of cyber attacks are on small businesses and most of those start with email? Did you also know that 60% of small businesses go out of business after a cyber attack?

Cyber criminals, hackers and nation states are prepared to spend whatever time it takes to seek and exploit weaknesses across the globe, yet companies struggle to get employees and vendors to align and support information security initiatives. Why? There are two simple reasons: Employees are resistant to behavioral change, and management is ineffective in their support. Brown Bag believes that marketing and communications can play an active role in addressing both.

Security Awareness Posters from a recent internal Brown Bag campaign created by Inspiredlearning.com

As marketers, we strive to understand the audience and identify the key insight into their behaviors, motivations, preferences and needs. It’s the same with employees. If we understand what’s behind the resistance – “I don’t want to” and “I don’t know how to” – we can address that resistance and create buy-in. For example, where do employees look for information? Do they check their emails each morning, or do they look on the company intranet or Slack channels? Their rituals, personal values, company policies, notions of time, roles, and even material objects and possessions influence employee behavior. Uncovering these insights helps us understand and respond to the “why” behind a lack of change.

We should embrace committees and cultural influencers in the company. Tap into personal experiences – an employee who has experienced identity theft can be a great champion of an information security program. A well-defined integrated plan identifying a single education and training module each month is far more effective than loading up employees with information explaining all seven or eight tasks you’d like them learn. If phishing is a priority, teach employees what to look for, but don’t include the finer points of data encryption until a later lesson. Extend the campaign into multiple forms of media throughout the company. Celebrate wins. Reward employees who respond appropriately to suspicious emails. Once a well-planned and established training program is in place, a proven method for measuring progress can prevent employees from reverting to bad habits.


What employees know is valuable. The information they collect throughout the day is valuable. And the brand they promote on your behalf? That’s valuable, too. Cyber security threats will never cease to exist. And neither should the process of preventing them.

Are you looking to change employee behaviors and secure information inside your organization?  Before joining Brown Bag Marketing, Chris served as a Creative and Strategic Lead inside the Behavior Management division of the Office of Information Security at Mayo Clinic in Rochester, MN. Contact Chris (cstanfield@brownbagmarketing.com) to learn more.