The fact is that many, if not most, security breaches involve internal users, and this risk is known as ‘Insider Threat’. Creating a culture of cybersecurity within and for your employees is paramount in helping to safeguard your company against insider threats.
The theme of this year’s National Cyber Security Awareness Month (NCSAM) was ‘Our Shared Responsibility’, which reflected the notion that cyberspace cannot be secured without the help of all users.
As part of the NCSAM we spoke with Greg Cullison, Senior Executive of Security, Suitability & Insider Threat programs at Big Sky Associates to discuss how creating a culture of cybersecurity at work helps organizations tackle what is their weakest link – their employees.
Definition of an Insider Threat
“In our industry, insider threat is essentially any threat that relates to information on the network, and it could be either a malicious act or due to just plain negligence. Insider threat can follow three channels. The most common is the employee who has legitimate access to the system and data as part of their job. Then there is the outside worker who is temporarily contracted to do a job within the company. And finally, there is the ‘outside insider’ who has gained access to the network through the acquisition of passwords or a lost device such as a laptop or USB stick.”
“If you look at it from a data perspective, every organization has some type of data that makes it unique – this could be a customer list or a business strategy – anything that has economic value or is a financial driver. So no organization is immune from insider threat.”
Protection against the Insider Threat
“Training is as important as is having the right security software in place. However, there should be a collective responsibility in protecting company information. This is where we bring in process improvement. Our strength is in process improvement projects where we look at what has been missed. By uniting processes and merging functions you can address issues more effectively. For example with IT and HR working together, you can have a policy in place to monitor an employee who might have been flagged as having grievances or performance issues.”
“Organizations should get all the right stakeholders in one room to really understand what they are trying to achieve in terms of security and from there create a robust insider threat program that is part of the business process.”
Company training to tackle Insider Threats
“Training is a staple in every organization. But often after employees go through security training, they sign a form and the task is done. This is not enough – companies should follow up on training because here is where the danger lies if there are no reminders. Organizations have to understand what they need to achieve and then set policies in place to meet these objectives.”
“Repeated training can be quite boring and attendance is in no way a measurement of effectiveness. So training needs to be part of the overall process improvement so we recommend exercises with employees where someone poses as an insider and does activities to really test out your system.”
Industry regulations and compliance for Internal Security
“In the US, there is a lot of regulation and in industries that have personal and public involvement like in healthcare, it is taken very seriously. New malwares are being written everyday and from a legal perspective, organizations can often say that they were compliant in line with government regulations but that does not necessarily stop a breach. Media coverage on beaches also gets organizations to take notice of compliance because if there is a breach, they don’t want the same thing to happen to them. Talking to organizations about compliance and risk in terms of revenue losses helps them relate to it better.”
“So most organizations meet regulation needs but they should do more than that – they should make risk management part of the whole-company strategy. Everyone should know what to do in the event of a breach.”
When it comes to protecting against the Insider Threat, a joined up approach of better user education, process and technology solutions across the whole enterprise helps best protect an organization against the insider threat.