A related issue is that users can often be reluctant to report a problem because they fear the consequences when they’ve taken an action that puts the company’s security at risk. Such delays in notification extend the time for malicious actors to cause serious damage. According to Verizon’s DBIR, it takes an average of 55 days for organizations to patch critical vulnerabilities, and that time can translate into serious losses, from costly ransomware attacks, to damage to the company’s reputation.
CISOs can address this issue by further fostering a culture where everyone recognizes the essential role they play in maintaining the security of the organization. Instead of contributing to a culture of fear by naming and shaming, CISOs can highlight people who have made smart security decisions and averted risks to serve as role models and turn events into learning experiences.
2. They prioritize convenience over security
People are naturally inclined to find the fastest possible route at work, and that often translates into taking shortcuts that compromise security for the sake of convenience. Even tech employees are not immune when, for example, importing libraries from public repositories assuming these are safe, as they continue to be used to distribute malware and steal passwords.
