The best defense against insider threats – culture
Russia, China, North Korea, Iran, and other external groups are formidable cyber threats requiring constant vigilance, but another area of risk that cybersecurity leaders can’t overlook is insiders. There are many valuable tools, such as Data Loss Prevention and email sanitization, and innovations utilizing AI capabilities to counter this risk, but the most important defense for the human factor is not a tool you buy, it is your organization's culture.
Insider threats represent a substantial risk to an organization because these users have authorized access and inside knowledge of your systems. They could even be the individuals who developed those systems. Insider threats encompass both intentional and unintentional acts. The blurring of the network perimeter by connectivity to external partners and cloud systems has expanded the definition of insiders from employees and contractors to third-party partners who have access to your information or systems.
Intentional threats are rare (fortunately) – they involve deliberate acts to harm the organization driven by a personal vendetta such as being dismissed from their job, stealing data for financial gain, or even theft of intellectual property on behalf of a foreign country.
Unintentional insider threats are common (unfortunately), and where cybersecurity programs need an assist from culture. These risks stem from employee negligence or lack of awareness. Though lacking malicious intent, the impact can be significant – for example, an employee falling for a phishing email that leads to ransomware shutting down the IT systems for a hospital system for a month.
An organization’s culture is its workforce’s shared values, attitudes and behaviors. It can be a key part of your cybersecurity defense, or work against it. When workforce engagement is high and individuals believe in the mission and tactics of the leadership team, they are more likely to absorb security training and take ownership of their role in protecting company assets. If they have an adversarial view of the company, are disenfranchised, or there is a lax culture, they are not going to give it the same effort.
A cybersecurity program is only one slice of an organization’s culture; how can it effect the whole organizational culture? It definitely can - a security program touches everyone in the organization, and that creates an opportunity to have broad influence on the organizational culture. Here are some actions that help:
Begin at the top: An organization’s culture starts with leadership. You can help set an example in your interactions with leadership and the workforce – being ethical, collaborative, mission motivated, and showing mutual respect and integrity.
Set the tone with a positive security culture: Make your program’s interactions with the workforce positive and team oriented - not punitive or fear-based. Recognize employees who demonstrate positive behaviors and celebrate the wins together to build buy-in and momentum.
Communicate with transparency: Communicate openly about security threats and risks without coming across as Chicken Little, encourage feedback, and listen to it.
Build a sense of ownership: Help employees understand why security helps the mission and the role they play, and show that you value them. Creating a sense of ownership for security can be contagious and lead to a broader sense of responsibility for the company.
Support the people: Set clear policies, procedures, and expectations so all employees know their role, and then provide support to help them be successful.
A cybersecurity program can help build a strong organizational culture that promotes ethical behavior and a sense of ownership of the mission. In fact, it can be a cornerstone. That kind of culture provides a powerful defense against insider threats. Use your program as a catalyst to raise the bar for other parts of the organization, to benefit all.
Hold Fast and Stay True