Protection from cyber-attacks is often focused heavily on securing IT systems & devices and tightening processes. Whilst both of these are vital elements of an effective security strategy, there is one other critical component of data & information security risks that MUST not be overlooked – people. People can represent a significant risk and there are two core ways in which this is the case – innocently falling victim to a cyber-attack, and intentional insider threats. Home and remote working now becoming the norm across industries has led to people working at scale in a less secure environment, thus increasing the levels of insider threats.
Most risks associated with employees are fairly innocent in nature and are the result of people clicking on malicious links in phishing campaigns or unknowingly opening up systems to malware or ransomware. A level deeper than this is where your staff are targets for spear phishing or social engineering campaigns. Cyber criminals will target specific employees with the intention of gaining access to data or systems based on the individuals role or their personal vulnerabilities.
Despite best efforts in organisations of all sizes and types, staff have some degree of autonomy and risk sets in from the moment they choose not to employ what they have learned during their onboarding experience. Often this will be where policies or regulations are not adhered to as they may make doing the job harder so to work around them feels like the job is being done more efficiently. However, think about this happening across multiple people, different departments and with no visibility for management and things can snowball rapidly.
Often though it is the senior staff or the high fee earners who tend to get caught out. Being particularly busy, not following processes that slow them down or not taking the same amount of time attending training because their time is considered more valuable – all of these add up to increased risk. Cyber criminals know this, this is part of the reason they target them specifically, in addition to the fact that they might have higher levels of authority for authorising payments, for example.
Research conducted by Verizon reports that around 22% of security incidents are as a result of insiders, not a number to be ignored for any organisation. Now this is not to say that they are all intentional or malicious, but with nearly a quarter of costly incidents happening through human error or intent, organisations have to take steps to mitigate this as best they can.
In larger enterprise organisations there may be a need to further secure the people-based risks by running a series of checks as part of the recruitment process – looking in to how individuals who will be handling sensitive data and information have conducted themselves in previous roles could highlight areas of concern. Insider threats may seem an unlikely possibility for your business, however ignoring this rising threat could be very costly.
There are a number of ways in which organisations can mitigate the risk of insider threats:
- Ensure senior staff know what the threats are and send a message of support from above
- Running background checks on staff coming in to roles where sensitive data is managed
- Enable people to speak up about at risk employees who may be disgruntled
- Ensure physical security & access are managed under the principle of least privilege
- Risk assess based on specific risks relating to on-premise and cloud based working
- Implement policies & reviews for remote working to ensure compliance
- Screen employees when they are in their notice period, reviewing activities and access logs
These actions require cross functional working where it may have never happened before. For example IT & HR need to engage more closely when an employee departs, or the finance team need to ensure that IT can provide information on what data has been accessed that may be out of the norm for a particular employee. Taking these steps may open up a world of unknown unknowns, so be prepared for this and take your time to understand what the potential risks are for your particular business and how you operate.
Responsibilities & Culture
With the threats present today senior leaders and managers need to be held accountable for ensuring that cyber risk is managed not just in terms of infrastructure, but also across all people and the risks associated with their work within all functions. We don’t want to knock people too much, as the reality is we cannot run our businesses without them, indeed owners and leaders need to work towards a security culture where people are invested in to become a significant line of defence. Supporting staff to understand the risks and how to best protect against them requires ongoing attention and investment that will pay back when your teams are targeted.
Building your organisation to be more risk aware and positive in response to cyber threats needs rapid attention as according to Businesswire, research from Egress in the US & UK reports that only 54% of employees reported that they feel trusted and empowered by their organisations security culture. A security culture built on embedding the behaviours that will enable staff to operate in a secure way requires more collaboration across departments as the human risk elements cannot be effectively understood and managed in departmental silo’s.
Having identified how best to evolve your organisational culture to have a focus on security your work now turns to engaging with employees and making that change happen. Two of the most effective ways to do this are through policies and training. The main purpose of cyber & information security policies is to detail the standards for processes and technical measures that are implemented within your organisation. Any policy that is implemented needs to be understandable (often non-technical), it needs to make sense to those it affects and are expected to follow it in their daily work.
The expectations you have of your employees around security cannot be left solely with them to understand and meet, people need continued investment and support in the form of regular and targeted cyber & information security training. Taking this approach not only enables you to build a security focused culture and embed & make real policies and procedures, it offers a forum in which staff can ask questions, share learnings & experiences and feel a key part of building a more secure organisation.
Beyond the benefits for the business, employees will gain something valuable as regards managing their personal digital and online security, a benefit that cannot be underestimated as our personal lives become more reliant on technology that has access to our most personal information. Investing in your staff should not be seen as something to benefit only the business, more secure and engaged employees will naturally be more attuned to risks within the business.
What steps are your organisation taking to promote its desired security behaviours? If you are wondering how to begin understanding the threats from inside your organisation, or how to build security competence in your people, CyberScale’s consultants and trainers are able to support your business.