In business, there always seems to be one concern after another: Sales, marketing, finance, legal, you name it. If it isn’t about finding new customers, it’s about retaining employees. Or maybe its cash flow issues or avoiding legal claims. But one concern that’s been on the rise in recent months is information security.

And it makes sense. After spending thousands, millions, and even billions of dollars on generating new business, making sure employees are satisfied, and a host of other operational sustainability concerns, no business wants to see those resources go to waste due to a security breach.

Whether it’s hacking that puts private customer and employee data at risk or stealing valuable intellectual property and trade secrets, corporate security concerns—especially for information and cybersecurity—are present and important.

PwC conducted The Global State of Information Security Survey 2016, which provides some telling stats:

  • Over a third (38%) more security incidents were detected in 2015 than in 2014
  • Information security budgets went up 24% in 2015
  • Employees remain the most cited source of compromise

That last point about employees is what’s most concerning and also supported by two other sources. One, The 2015 (ISC)2 Global Information Security Workforce Study by Frost & Sullivan, cites that 54% of respondents believed internal employees were a “Top or High concern.”

The second supporter is an article on Quartz, which cites the Sailpoint 2016 Market Pulse Survey. Specifically, the article notes that 1 in 5 employees (up from 1 in 7 in 2015) would sell their work passwords.

Yes, sell their passwords.

What thief needs to pick a lock when a tenant simply hands over the key?

And guess what country more than leads the pack with 27% of respondents ringing true to the old adage everyone has a price? The United States, AKA good ol’ Corporate America.

Keep in mind that the survey only included companies that employed at least 1,000 people, so small businesses were out of the running. The fact that over ¼ of those surveyed responded with such apathy regarding security has numerous implications.

So what’s to do be done about such an undesirable situation where employees feel disloyal or indifferent and companies are seemingly threatened by ¼ of their employee base?

Since the problem is a mental one, instead of physical, the root cause can likely be traced back to the workplace or company culture. The work environment and its participants help shape the thoughts and feelings of employees concerning the organization.

Thus, the impetus should be to fix corporate culture. But that’s easier said than done since fixing culture, especially in large organizations, can take lots of time, lots of money, and lots of energy.

That doesn’t mean organizations can’t take a few measures to improve culture. Let’s look at a few requirements for helping organizations foster great employees.

It Starts at the Beginning

The hiring process is the first stop for improvement measures. Bringing a “bad apple” onboard is a sure way to spoil the basket. In addition to considering the knowledge and skills of a candidate, organizations need to place a strong emphasis on character.

Recommendations act as a powerful source for this requirement, whether called on the phone or reviewed on your LinkedIn profile. (To my fellow professionals: You do have numerous glowing LinkedIn recommendations, right?)

When hiring managers or recruiters are calling references, are they asking for more than how the candidate performed in their last role? Are they asking the hard-hitting questions about the candidate’s character and trustworthiness? They should be. A great hire will be a well-rounded one, not just smart or skilled.

Will this completely remove the possibility of hiring a disloyal, untrustworthy, or even vindictive employee? Of course not. But it can certainly help curtail those chances, especially when coupled with additional measures.

Knowledge is Power

Also cited in the PwC study: Only half (53%) of organizations provide an employee training and awareness program, which means the other half of organizations have employees that may be oblivious to the impact of information security or even what it means.

Beyond that, many organizations might be surprised at how, despite efforts to educate employees through basic training and presentations, employees may not truly understand just how damaging their individual actions can be.

So even if every organization offered such awareness, the program by itself may not cut it. If there’s no follow-up (or even follow-through), when it comes to proprietary system access, some employees may consider a password simply an innocuous digital item they have to remember:

It’s just a password. No big deal.

Who wants access to a few of my worthless spreadsheets or documents anyway? Or to be able to chat with Susan down in purchasing?

Without knowledge of the potential impact sharing (or selling) their password has, employees may continue to be in the dark on security in the digital era. And beyond being informed, knowledge can empower employees to understand that, though one of many in the organization, their individual actions can have significant and far-reaching effects.

Employees Just Want to Be Heard Listened To

Recall the last time someone ignored your opinion. Or didn’t want to hear what you had to say. Or worse, heard you and nodded, but didn’t actually absorb your message.

When we speak, other people may hear, but that doesn’t necessarily mean they are listening.

If someone hears you, they were close enough for their ear to pick up the sound vibrations coming from your vocal chords. If someone listens to you, they took a concerted effort to understand your message.


As participants in the organization, employees want to know that they are not just another “cog in the machine.” They want to be Rebecca from accounting and Jason from marketing, not employee ID 49986 and 49987. And they want to know that “the powers that be,” or management, or the appropriate committees, or whomever has the ability to enact positive change within the organization is genuinely listening to them and considering their input.

And no, a comment box does not satisfy this requirement. That goes back to employees simple being heard instead of listened to.

Morale Can Be a Savior (or a Curse)

Morale, or “employee engagement” if we’re using more popularized verbiage, can motivate employees to perform at their best. But when low, it can do the exact opposite.

Stuart Woollard, writes in a CBS News article about disengaged employees: “Less engaged teams are less productive, less customer-focused and prone to withdrawing their efforts and adopting counterproductive behaviour. This may manifest itself as neglect, gossiping, theft and other disruptive behaviour.”

The majority of those 27% of respondents that would sell their company passwords are likely disengaged. Some may have just been the “bad apples” that made it into the basket, but many were likely just not connected or engaged with the organization.

What’s the fix? There’s plenty of cited tactics for improving morale, including

  • devising relevant rewards;
  • providing time and constructive feedback;
  • developing internal career paths; and
  • enabling professional growth and development.

Notice that these tactics all focus on giving back to the employee. They show appreciation and that employees are valued, which are the aspects important for boosting morale and engaging employees on multiple levels.

Connecting the Pieces

Corporate security is important for organizations to protect what they’ve built and keep their employees and customers’ information safe. Training is one part of the solution and can mitigate security concerns to a point.

But a deeper look into the corporate culture is necessary. Culture plays a major part in developing how employees view their organization, and whether they view it with admiration or respect, or with indifference or even hostility, depends on the actions of the organization and organizational leaders.

Hiring with an emphasis on character, empowering employees with knowledge, listening to their ideas and concerns, and ensuring they stay engaged just may make the moralistic difference in handing over the key to thieves.

Then perhaps a 2017 information security study will show a significant decrease in the willingness to sell passwords. I sure hope so.


What measures can organizations take to help engage you? And if you’re an organizational leader, what strides are you taking to improve company culture? Share in the comments section below.