Red Flag Reluctance: The Risk to Cybersecurity
Part two of a four-part series covering Ivanti’s latest research. Get the full series:
- Which Gen Is Most Tech-Savvy? A Workforce Dilemma
- International Inconsistencies: How Cybersecurity Preparedness Varies Across Countries
- Taking a Real Look at Hidden Risk
Keeping an organization safe means getting near-real-time information about security incidents or breaches. But new research shows some employees are less inclined than others to report red ﬂags, which puts your business at risk.
Will your employees get in touch quickly if they have a security concern? Again, it’s dangerous to assume they’ll take action even when they understand the potential risk to their organization.
In the first post in this series, we looked at the hidden cybersecurity threat created by employee demographics and dangerous presumptions companies make about them. In this article, we’ll see what new research from Ivanti reveals about the reluctance of some workers to raise red flags, even about very critical threats.
What groups are less likely to raise alarms?
Ivanti’s research, involving a survey of 6,500 executive leaders, cybersecurity professionals and office workers worldwide, shows specific segments of your employee base may hesitate to reach out to alert your cybersecurity team about issues.
This is something any organization should be aware of as it develops outreach and training programs for its employees. So what are the groups that are more likely and less likely to raise red flags?
The biggest swing variable in reporting issues is seniority. Seventy-two percent of leaders we surveyed say they’ve contacted a cybersecurity employee with a question or concern, compared to just 28% of office workers.
Did you know?
Executives are twice as likely to report security interactions as "awkward" or "embarrassing" than office workers. These more frequent, yet negative security interactions may accelerate executives' use of external, non-approved tech support – reportedly at four times the rate of office workers.
Women are less likely than men to do the same. Twenty-eight percent have contacted a cybersecurity employee with a question or concern, compared to 36% of men.
Willingness to contact security varies greatly by country. For example, nearly half of office workers in China have contacted the security team with a question or concern, compared to just 20% in Australia.
Why it matters
Your security position depends on hundreds or thousands of employees playing defense. Do your employees know they’re valuable members of the extended security team?
Our security preparedness study asked security professionals about their biggest industry-wide vulnerabilities. Ransomware and phishing ranked number one and two. And these threats are becoming more dangerous with each passing year due to advances in generative AI, which make phishing harder to spot.
All this means your employees need to feel comfortable approaching IT and security — even if the only “proof” they have of an incoming attack is a nagging doubt. (Some examples: an atypical wire transfer request, a suspicious invoice reminder, or an unsolicited password reset link.) During an active security incident, speed is the single most important factor in defending against an attack.
When employers conduct sentiment surveys to understand employee attitudes, they should drill down to investigate demographic patterns and vulnerabilities. These insights are key to improving overall security preparedness.
“We’ve experienced a few advanced phishing attempts, and the employees were totally unaware they were being targeted. These types of attacks have become so much more sophisticated in the last two years — even our most experienced staff are falling for it..”
— Ivanti survey respondent
In our next post in this series, we’ll dig into the matter of geography. For a large or multinational organization, it’s vital to understand how employee cybersecurity beliefs and behaviors vary – sometimes considerably – by country.