Spoiler: Sorry. These days, it’s becoming increasingly clear that security is becoming an even bigger part of “everybody’s business”. 

People instinctively feel their productivity is hindered by security

IT’s always been easy to blame the IT organization’s security measures for hindering staff productivity. For many employees security is an inconvenience, and they security policies and restrictions to be annoying and frustrating. After all, it’s understandable if employees are thinking, “I was hired to do my thing, and these security rules are just slowing me down”.

Is IT shirking responsibility?

Now, on top of that, the phrase, “Security is everybody’s business” has become more common. So, it might seem to some people like the IT team is just shirking its responsibilities for putting good security measures in place. But, in reality, it is virtually impossible for the IT organization to completely secure your business through automated technology alone. And it’s almost a certainty that having a highly secure work environment will impose some unpopular restrictions on what employees can do.


For example, guaranteeing that the right person is logging in to a business system requires strong authentication controls like “two-step authentication”, since attackers are becoming good at breaking into password-based logins. But for two-step authentication to work, you always need to be carrying your smartphone or a token device, which might not be convenient for some people. Fortunately, two-step authentication is becoming much more acceptable and common, as Adam Crate of Grade A mentioned in my interview with him in Episode #1 of the “Can I Be Phished?” video podcast.

Balancing security is always hard. But now with “cloud” and COVID-19…

So, more often than not, to reduce inconvenience, security restrictions might be set up to be less strict than they should be. This means that it’s up to employees to be aware of the limits on their organization’s security controls, and why they are configured the way they are. Without that awareness, employees can be expected to not only complain about the restrictions that are in place, but to occasionally do things that expose the business to risks.

This article cites the findings of a survey of 300 Chief Information Security Officers (CISOs), in which 80% of respondents said that they “can’t effectively manage excessive access to data in their infrastructure and Platform-as-a-Service (PaaS) environments.”

So, it’s not a big surprise that the same survey found that 80% of businesses have had at least one cloud data breach and 18% have had 10 or more breaches in the past 18 months.

Clearly, everybody needs to recognize the new limitations and make security their business more than ever

With this much exposure in the typical business IT environment, it is becoming clear now that employees need to be much more aware of the limitations of their IT security controls. And they must be informed on proper procedures to compensate for them. Unfortunately, not only will they will need to get used to being inconvenienced, but they will need to recognize that “Security really is everybody’s business”, or else they may be the cause of a major security breach, which could cost them their job.

To build “cyber herd immunity”, where everyone helps defend the organization, employees need to be engaged, educated and have the chance to practice their defensive skills. When they understand, and are confident, they will complain less about the burden.

Photo by Tim Gouw on Unsplash


Cyber Security

Phishing Defense

Phishing threatens businesses and opens the door to ransomware. Fight phishing and spear phishing attacks with gamified learning.

Social Engineering Defense

Social engineering scams are a serious hazard to businesses. Fight back with Click Armor.

Cyber Security Awareness for Remote Workers

Home-based workers are vulnerable to cyber attacks. Build team immunity today.

Privacy and Compliance

PCI Compliance Awareness

When team members work in an environment where they may encounter cardholder data, they need to know what to do to protect it.

Gamified HIPAA Compliance Awareness

If your business is a supplier to a healthcare provider in the USA or Canada, your team needs to know what to do to protect Protected Health information (PHI).

Gamified Learning Platform

Active Awareness Platform

Experience the power of tailored gamified learning with Click Armor. Take your security awareness training to the next level.

Blog / View All