Employee or Employer; Where does the cyber breach responsibility fall?

Published: 12 October 2022

Impact of Remote working

According to the latest Cyber review from the NCSC (National Cyber Security Centre), the rate of targeted cybercrime is at an all-time high. It has never been more important to clarify who is responsible for managing and preventing cyber-attacks, employee, or employer. 

No one was prepared for the sudden need for a large proportion of the work force to work from home at the onset of the pandemic. Businesses very quickly had to move services online, relying more on Cloud. Cyber criminals saw an opportunity to exploit cracks in security for those who were not prepared. Even the big players were not unaffected. In March 2021 Microsoft announced that their Microsoft Exchange Servers were being attacked. 30,000 companies in the US and many more worldwide were affected. 

In the UK the biggest threat faced has been ransomware. In the real world, these attacks have resulted in food supplies being affected, increase in fuel prices, lack of access to public services and much more.  

For a lot of businesses, it’s the employee who bears the brunt of the blame. Of 2000 employees surveyed 21% lost their job in the last year for clicking into the unfortunately deceptive email. However, as far back as 2013, The Guardian was talking about where cybersecurity responsibility lay. Instinctively, we turn to IT when there is any sort of breach. But is that the right place to go? The Guardian article states good Cybersecurity starts at board level. So, what can be done to lead the fight against Cyber threats from the top down?

  • Offer training

To try to combat these attacks, companies could offer cybersecurity refresher training with a focus on the new remote and hybrid working environment. Cyber-attacks are constantly evolving and becoming more sophisticated. This leads to many simply not being aware they are being targeted. Proper training could help this. Ideally, the training would cover everything from password hygiene and phishing emails to unverified requests through social media accounts. It’s also important that employees know the processes around reporting a breach. Speaking of: 

  • Set Procedures 

Assess your current ‘cyber posture’ and what you consider acceptable risk. Then start to work on what procedures you’re going to put in place. In doing so you need to consider current regulations and ensure you’re compliant. Your staff should have a clear set of instructions for any eventuality. Who do they contact? What information do they need? There should be a time limit for letting the right people know and expectations for resolving the issue. Most importantly, these processes should be communicated to all staff, particularly what the impact of ignoring signs could be. 

  • Test, test, test 

Ideally, doing all the above should result in safe and secure data. But people make mistakes or lose focus all the time. The best way to make sure your employees are being safe is to routinely test them. Companies should send out mock phishing emails or other types of attacks that their employees have been trained on to try to catch them out. If anyone falls for the test, then they get retrained. Cyber Security should become part of company culture and not just an afterthought.  

  • Automation 

Unfortunately, people are always going to be the weakest link. The best thing to do to circumvent this is to automate technical controls as much as possible. Lock down privileges according to role and implement strong password policies. Audit user actions and make sure controls are enforced on all assets.  


So ultimately who is responsible for the security of a business’s data, the employee or employer? If we take the example of a losing sports team. Is the goalkeeper at fault for letting the ball past? Or the defender who failed to stop the attack? Or the manager, who didn’t make a successful game plan? In business do we blame IT for ineffective cyber defences? The CEO for failing to implement a cyber awareness culture? Or is it the fault of the employee who clicked the link? The responsibility lies with everyone. Management must implement good cyber security practises and ensure employee buy-in. Employees must implement the training they’ve undertaken and be vigilant. Responsibility is a loop. 

If you’d like to talk to one of our Cyber Security experts to make sure that your business is practising safe cyber security, then please get in touch. 

Read More

The limitations to Edge Defence and Anti-Virus Software

3 June 2024

Edge Defence and Anti-Virus Software: Why you need more in your cyber armour to protect your business in 2024.

Why using multiple layers of backup is a necessity

11 April 2024

It's important to backup. Ransomware risks continue to rise and files can become corrupted. Read our blog to find out more.

MFA: why you need additional Cyber Security defence  

14 March 2024

MFA (Multi Factor Authentication) is a great tool for adding an extra cyber protection, however it's not enough on its own.

Is an annual penetration test really necessary?

13 March 2024