Australians are pretty lucky compared to workers in other countries when it comes to leave provisions. Most people get 20 days of annual leave, ten days of sick leave and we have a decent number of public holidays to complement those.
But people seem to struggle to switch off and they end up taking their work with them. A survey from Deutsche Telekom has found that people who can't switch off represent a risk to the business.
Being able to connect anywhere and anytime is one of the great leaps forward for today's worker. It means working from home, or a café, is relatively easy. But it's not all benefit.
The research, which is focussed on European workers but, I think, is roughly translatable to Aussies, found that nearly a quarter of workers use free WiFi hotspots for work related email and documents, with 28% using their personal email for work.
Those issues, while not holiday-related, can be exacerbated if people are more relaxed and decide to quickly reply to an email or punch out a message using the most convenient, but often least secure, means available. With almost a third of workers admitting they use personal devices for work and over a quarter saying they email work documents to private email addresses, it's clear risky online behaviour remains a significant problem.
While it might be easy to blame workers for lax practices, 28% of employees, according to the data, have never received any cybersecurity training.
All of this leads to one inevitable conclusion: many companies need to step up their security training programs. It's no longer good enough to offer annual "tick the compliance box" training followed by a multiple choice quiz, or cheesy videos with bad actors demonstrating what happens when you use a dodgy password.
The training needs to focus on two things: addressing real risks to the business and the self-interest of employees.
I started my work life as a high-school teacher and the basic principles I used in designing curricula then still apply today, even in a corporate setting.
- Focus on real problems: Avoid the temptation to send regular communications about the "threat of the week". The business problems of ransomware, for example, aren't what vector was used or the cost of the ransom. The real issue is loss of data and interruption to operations. While the recent NotPetya attack was technically interesting, the real impact was companies like Cadbury and Bega had to shutdown for days. In fact, Bega's purchase of Vegemite was at risk because of the attack.
- Pander to self interest: While paying attention to business risks is important, make sure the training addresses the concerns of workers. for example, rather than blindly saying things like "Complex passwords are good", ask people how they would feel if someone accessed their personal email or social media accounts without permission. It's then an easy leap to get them thinking about managing password security in the office.
- Repeat but not in a boring way: One of the secrets to successful education is repetition. But not in a boring way where we hear the same thing in the same way. Good education programs repeat and build on concepts so people hear or see the same things in different ways.
- It's not a technical problem: Good security isn't a technical problem; it's a behavioural one. that means the IT department needs to be part of the training effort, not wholly responsible for it. Engage with marketing, sakes, HP and other departments to create an interesting and engaging program that appeals to as many people as possible.