Stellenbosch - Most companies are focusing primarily on physical cyber security barriers like firewalls, while forgetting the potential risk posed by their employees' behaviour, says Gundu Tapiwa of the Sol Plaatje University in Kimberley.
"Humans hold the keys for cyber criminals to unlock the door to your company that you think you have locked sufficiently," he cautioned during a presentation at the 14th International Conference on Cyber Warfare and Security, hosted by the University of Stellenbosch and the CSIR.
Curiosity killed the cat
Research shows that about 49% of employees would fall into the "naïve" category, Tapiwa said.
Furthermore, he added, his own research found that many employees who indicated during a cyber awareness campaign that they would act in the appropriate manner to avoid a cyber security breach, still went ahead and took risky actions under test conditions.
For instance, when he placed random software in plastic bags at a business, almost all the employees ended up inserting the flash discs into the company computers to see what they contained.
"You cannot totally eliminate risk, but you have to try to limit it to an acceptable extent," he said.
His research further showed that the effectiveness of a cyber security awareness campaign – aimed at giving employees knowledge only – would still be questionable.
Non-compliance by employees still persisted even after they had completed the campaign, he found.
Get around the human factor
"Companies should, therefore, find ways to get the human factor to behave in a cyber secure way," said Tapiwa.
"Employers should not just assume that employees will follow the prescribed behaviour. I tested them and, although their intentions sounded good, in the end their actual behaviour was different – risky."
That is why, in his view, there should be some form of consequence for employees who put the company at risk with their cyber interactions. It could even include impacting their salaries, he believes.
"My research showed the cyber challenges caused by employee behaviours – whether they behaved in a cyber risky way knowingly or unknowingly.
"And even if they were aware that they were behaving in a cyber risky way, it seems many still might not want to change their behaviour," said Tapiwa.