Trust is the cornerstone of thriving, dynamic workplaces. When employees have confidence in their colleagues and leaders, it sparks ethical decision-making, boosts loyalty and strengthens their commitment to staying with the company.

The statistics speak for themselves. According to research from Deloitte, trusting employees are 260% more motivated to work, have 41% lower rates of absenteeism and are 50% less likely to look for another job.

From improved teamwork and collaboration to higher morale, better communications and greater honesty, the list of benefits is extensive.

However, trust is not a one-way street. Employees who trust their organization and leadership are one lane, but the organization must trust its employees, too.

The Complexity of Trusting Employees

Having employees you can trust comes in different flavors. Yes, you have to trust that they will perform the job they were hired for. In some cases, you need to trust that they will stay in the boundaries that have been defined for their roles. Meaning, for instance, software engineers with coding skills and technical knowledge should stay out of customer relationships or marketing campaigns. Similarly, sales representatives shouldn’t tinker with the company’s IT infrastructure or develop financial projections.

But that’s all fairly manageable with the right people in place. Which, thanks to remote working and AI, is increasingly becoming a tall order. Basic employee trust now comes with even higher levels of verification on the employer’s part as it has become hard to truly be certain that the person you hired is actually who they say they are. Take, for example, KnowBe4, a well-regarded cybersecurity awareness training company that recently,  inadvertently, hired a state-backed North Korean threat actor posing as a U.S. citizen. KnowBe4 did everything right from vetting the candidate, doing background and reference checks and conducting several rounds of video interviews and yet still hired a national security threat. And, it turns out KnowBe4’s situation isn’t an isolated event: In August the federal government arrested a Tennessee man for running a laptop farm that helped North Korean workers pretend to be U.S. employees.

While nation-state imposters are extreme examples, it’s not hard to understand that employee actions are often the primary reason for security breaches arising.

A Full 63% of Businesses are Concerned Workers Might Expose Them to Breaches

This is according to new findings from a recent Apricorn survey, highlighting the pressing need to reassess the scope of responsibilities given to employees when it comes to managing company-wide security.

Carrying out a May 2024 survey of 604 IT security decision-makers working at large companies across the UK and the U.S., we found that phishing (31%) and employees unintentionally putting data at risk (30%) took the top spots as the main causes of a data breach within organizations, closely followed by ransomware (29%).

This is a significant concern. Despite advancements in cyber threat sophistication and attack methods, most breaches still stem from employees either falling prey to traditional tactics or making errors.

While companies are implementing more robust policies and improving control over remote access to systems and data, these efforts are often undermined by employee actions, both accidental and malicious.

The result of this is interesting – namely, trust in employees is dwindling, with 63% of our survey respondents concerned that mobile and remote workers might expose them to breaches.

Critically, the impact of these actions is not necessarily due to a lack of effort on the part of employees. In fact, 95% of those IT and security leaders surveyed in the UK and U.S. agreed that their organization’s mobile/remote workers were aware of IT security risks and practices.

Instead, the issue lies in the fact that confidence in employees to uphold enterprise security is often misplaced, with 73% of remote employees said to lack the essential skills and technology needed to ensure data security.

Enhancing Awareness and Reducing Responsibilities

Placing excessive trust in employees who lack the necessary capabilities to protect the organization can lead to serious security risks.

The adage “a chain is only as strong as its weakest link” springs to mind. Indeed, no matter how advanced your technical defenses are, they can be undermined if employees aren’t equipped to handle security properly.

To address these vulnerabilities, enterprises must take decisive action to bridge current security gaps and build more robust and secure data environments. And that must begin with a focus on cultivating a stronger security culture – one that emphasizes clear policies and well-defined responsibilities for all employees.

Creating such an environment requires more than just implementing rules. Equally, firms must ensure that the workforce is thoroughly aware of the risks associated with various tools, actions and devices.

While it can be challenging to know where to start, a practical first step is to adopt the principle of least privilege – a core aspect of zero trust. This approach limits employee access to only the solutions and systems necessary for their specific roles, reducing potential security risks.

In addition, we would also recommend that firms focus on ensuring that staff are not able to use whitelisted devices to access corporate networks. Indeed, these can act as open doors for cybercriminals, offering them unchecked pathways into a network, enabling them to easily undermine security protocols.

Reining in responsibilities in this way is vital. When employees have only the access they need, they are less likely to accidentally expose sensitive information. Moreover, with access limits in place, security teams gain comprehensive visibility into any incidents that do occur.

This approach not only helps prevent unauthorized data movement but also prevents threat actors and malicious insiders from easily navigating through your network and extracting valuable data or introducing malicious code.

Any New Policies Must be Implemented With Care

Restricting access is a logical step for organizations to take in reducing any excessive trust in employees. However, this process must be approached with care.

Security policies need to be communicated and designed to maximize effectiveness and, at the same time, minimize their impact on workflow. If employees find them too complex or confusing, they may become frustrated and look for ways to bypass controls, ultimately working against the security strategy rather than with it.

This challenge is amplified in today’s hybrid work environment. Remote workers can’t turn to support staff as easily for help in understanding or navigating cumbersome policies, making them more likely to turn to unapproved tools and devices that might increase cyber risk. Therefore, policies must be tailored to fit the needs of mobile workers and contractors to mitigate these risks effectively.

Today, more than ever, it’s a transition that companies must make. By reining in responsibilities in this manner, enterprises can ensure that the opportunity for breaches to arise from the actions of staff members is minimized, helping to reinforce a more effective, unified approach to security.