Nearly three-quarters of office workers in Ireland believe their employers hold staff personally accountable for cybersecurity incidents, according to new research from IT.ie and SonicWall. The research is based on a survey carried out by Censuswide, which gathered responses from 1,000 office workers in Ireland. Its findings provide insights into how blame culture affects cybersecurity practices and highlight the need for strategies that encourage openness and collective responsibility.
“While it is on all of us to be vigilant, the average office worker is not a cybersecurity expert; the onus is on business and IT leaders to ensure they have taken every step possible to safeguard their business and people,” said IT.ie’s founder and managing director Eamon Gallagher.
The research found that 29% of respondents had witnessed at least one colleague being dismissed for unintentionally causing a cybersecurity breach. Additionally, over one-third of workers indicated their employers “always” attribute responsibility to employees for such incidents, while 35% said this happens “sometimes.”
Fear of repercussions appears to discourage many employees from reporting cybersecurity issues. More than a third of participants admitted they had not disclosed a breach within the last 12 months. Embarrassment and apprehension about potential consequences were cited as the primary reasons for this lack of disclosure. Furthermore, 20% of respondents reported feeling uncomfortable about raising cybersecurity concerns with senior management.
The implications extend beyond immediate reporting behaviour. Over two-thirds of surveyed workers said they would leave or consider leaving their jobs if they were responsible for a cybersecurity breach. The research also found that half of the respondents experience stress related to cybersecurity demands in their roles.
A significant portion of respondents called for increased organisational support, with 79% believing companies should offer mental health resources for employees affected by cyberattacks. Additionally, 60% stated that employees should not be held responsible for unintentional breaches, pointing to a need for organisations to reconsider their accountability frameworks.
SonicWall’s Northern Europe regional director Stuart Taylor stated that holding individuals accountable for breaches does not tackle the underlying causes of cyber incidents. Furthermore, Taylor said that it cultivates a fearful environment that can stifle transparency.
“It’s important for organisations to build a positive atmosphere where employees feel empowered to report concerns without the fear of repercussions,” Taylor said.
Global surveys highlight cybersecurity blame culture across workplaces
The perception of personal accountability for cybersecurity incidents extends beyond Ireland, as similar trends have been observed in other countries through recent studies.
In the US, the EY 2024 Human Risk in Cybersecurity Survey identified that 34% of employees were concerned that their actions could expose their organisation to cyberattacks. This underscores a widespread sense of individual responsibility for cybersecurity risks among workers.
A survey conducted by CyberArk, which gathered responses from nearly 14,000 employees across the US, UK, France, Germany, Australia, and Singapore, revealed that 80% of participants accessed workplace applications containing critical business data via personal devices. These devices often lack sufficient security measures, underscoring the pivotal role employees play in organisational cybersecurity. The survey also found that 65% of employees circumvent cybersecurity policies, a trend largely driven by hybrid work models and the demand for flexible access.
Read more: 65% of employees bypass cybersecurity policies, driven by hybrid work and flexible access
