Having just attended the insiderthreat Summit last month I was surprised at how much focus was on identifying behavioral characteristics of malicious insider threats. Don’t get me wrong, proactively identifying malicious insiders is a critical part of an Insider Threat Program, but I believe that you also must consider the inadvertent actors; end users who are careless or who are unaware of or adhering to policy. I’ve read that up to 66 percent of cyber security incidents are caused by inadvertent actors. If this is true, then we can significantly decrease our risk through shaping the behavior of our employees towards security awareness.
How do we reduce our risk of a cyber security incident due to end user error or carelessness — through development of a cyber resilient culture. You cannot implement this type of change by providing an annual training class and test. You have to take a holistic look at the areas of risk and the categories of the people that you have working for you. A renewed focus on inadvertent actors actually will complement your programs targeting malicious insiders and will increase the likelihood that your employees will be your biggest assets in recognizing cyber security threats.
A risk assessment will help you to focus most of your effort where you have most of your risk. What information do you have? Who has access? What would happen if cybercriminals got their hands on it? What is the potential consequence? Consequence can be direct monetary loss or it could be future loss due to damaged reputation.
Identifying the categories of people with access to your systems will help you to tailor your plan appropriately. You wouldn’t take the same approach to shaping the security behavior of a software developer as you would for an executive. You may also need to consider generational differences to tailor your approach so that it is most effective.
The end goal is to shape everyone’s behavior so that security is something that they consider 24×7; whether they are at home surfing the net or reading email in the office. At Expressworks we have helped many companies implement behaviors that reduce enterprise risk (security, safety, reporting, etc.). There are many innovative techniques that we use to keep security fresh in everyone’s minds. We’ve seen great success in the implementation of gamification, penetration testing and just in time training and communications just to name a few.
In summary, I recommend that you don’t overlook the importance of developing or reinvigorating a culture of cyber resilience within your organization when developing an Insider Threat Program. Your inadvertent actors may turn into your greatest asset for protecting your digital assets from malicious insiders as well as external threats.