Why Employees Are Lax About Cybersecurity (And What to Do About It)

As more businesses see the benefits of regular cybersecurity training, employees may notice an uptick in phishing tests and awareness meetings. Yet despite these becoming more common, you may notice that people’s performances tend to slip over time, or maybe there are a few employees who just can’t seem to get the hang of the security protocol system. Whatever the exact issue, you just can’t understand why employees don’t seem to care as much as you do about the organization’s protection.

There’s a reason why you can’t seem to get your staff 100% invested in cybersecurity, and it’s not carelessness. Whether it’s innocent mistakes or calculated violations, understanding their motivations will help you get the whole organization following protocol to a T.

Stress and Overflowing Plates

Most of the time, employees don’t want to do the organization any harm. They have genuine intentions to follow their cybersecurity training and report threats as noticed. The problem is that they’re often way too busy to notice much.

Overworking your staff can be one of the biggest risk factors that causes unintentional insider threats. Stress from the job can cause reckless behavior, cutting corners out of necessity, and missteps that wouldn’t be made with rest and a good quality work-life balance.

One Harvard Business review study found that 67% of workers insufficiently comply with at least one cybersecurity standard or policy on a regular basis. It wasn’t out of laziness but usually to provide better output, get or give help, or due to stress from both inside and outside the company.

What Can You Do

When home life is what’s conflicting with their productivity, it’s hard to provide resources within the employee’s workday that mitigates the issue, like you could if it were a tiff between coworkers or a project deadline. Instead you have to encourage their compliance with your security standards in more creative ways.

For starters, recognize a dedicated employee who is always careful about how they approach potentially risky situations. They’ll stand out as ‘security leaders’ for their team, who they can approach with day-to-day questions and aspire to rival in the field of cybersecurity competence.

Find different mediums to communicate effective protocol, from team meetings to minor competitions. This will not only reiterate the information enough to help everyone remember it, but reaches participants whose memories work best when taught in out-of-the-box ways.

When in Doubt, Go to the Source

Why not ask your employees directly what obstacles they encounter when trying to comply with your cybersecurity protocol? Perhaps there are steps you can eliminate to streamline reporting, areas of the job where you can reduce some of their burden, or even just broaden their understanding of how cybersecurity missteps impact the overall organization. Information is ripest at its source.

Additionally, there tends to be ample opportunity to block activity on the company network that people try to enact before first following proper security protocol. This can be a little more arduous and add steps to their daily tasks, but it’s effective in stopping accidental risky behaviors.


It can be a difficult task to take on, getting everyone in the organization to follow security protocols as directed every single day. Hopefully now you understand some of the reasons behind why they fall short, so you can begin to address the particular problems facing your workforce. If you notice a pattern of complaints amongst many of your workers, there may be changes you can make to help reduce their stress and thus increase productivity and security compliance.

Cybersecurity compliance IS important to take seriously every single day. Encourage employees to care about it with transparency, patience, and creative strategies that help them work better, smarter and more securely.