(Updated 02/03/2021)
Culture is the lifeblood of any organisation, and it encompasses shared values, norms, beliefs and assumptions that ultimately drive employees’ actions. According to a study from HR consulting firm Mercer, U.S. companies faced an average of 22 percent turnover rate in 2018. The median number of years that an employee stays at a position, according to the Bureau of Labour Statistics, is 4.2 years, with employees aged 25 to 34 only staying 2.8 years. The era of lifelong jobs has come to a close, and security teams must be aware that a revolving door of employees could be putting their organisation at risk of data exfiltration.
One way to reduce your risk in the face of this level of employee turnover is to build a strong and explicit security culture. A culture of cybersecurity awareness and responsibility can help prevent some insider threats from happening and increase the likelihood that others will be caught or reported. Moreover, a strong security culture instills employee trust in the organisation, which can reduce both organisational risk and employee turnover. Here’s how to go about it.
1. Cybersecurity Awareness Can Prevent Accidental Insider Threats
According to insider threat statistics, two out of three Insider Threat incidents are caused by employee or contractor mistakes. The good news is, mistakes are preventable with the right training and a strong culture around cybersecurity awareness. If employees are totally in the dark about security policies, they’re more likely to make mistakes that could become costly insider threat incidents. Examples of common employee mistakes that could lead to incidents may include:
- clicking on a phishing link in an email
- using file-sharing software that isn’t authorised by IT
- emailing sensitive documents to a personal address to work on from home
An important first step toward a culture of cybersecurity awareness involves knowledge of corporate policies—not just the “What am I allowed to do?” part, but also the “Why does this policy exist?” aspect. People are more likely to follow through on a best practice when they understand the “why” behind it. A thorough review of organisational security policies, including a justification of why certain rules are in place to protect the organisation, will often lead to more diligent employee behaviour around security. Frequent reinforcement of policy—in the form of real-time alerts that explain potential policy violations or periodic policy reviews—can ensure that this guidance sinks in on a regular basis.
2. Transparency Increases Employee Trust
Establishing a foundation of trust is an important element of an effective insider threat program. For example, if your organisation chooses to deploy user and data activity monitoring technology, be transparent with employees and clear in the corporate cybersecurity policy about how and why their actions will be monitored on corporate systems. If employees understand that the security team isn’t watching their every move, “Big Brother”-style, they may feel more comfortable with the idea of monitoring technologies.
In addition, some tools like Proofpoint Insider Threat Management (ITM) solution, allow user activity data to be anonymised to protect user privacy. ITM also gives organisations the power to decide exactly what they will monitor, and allows them to exclude things like social media activity, should they choose to. Every organisation has different requirements and a different culture around privacy. For example, the ability to anonymise data is mandatory for certain regulatory compliance requirements, such as GDPR. So having control over what is monitored and communicating the boundaries to employees can be a good way to instill trust. If employees know that their privacy is important to the organisation, they’ll be far more willing to respect company property and IT systems.
3. Security Teams Can Serve as Allies
Too often, the relationship between security and the rest of the organisation can seem reactive and punitive. This dynamic may make employees less willing to point out a potential mistake they have made or report out-of-policy behaviour they have witnessed. Employees may also feel hesitant to approach security teams with questions about policies, or ask for exceptions to the rules when they need them. The exact opposite should be true.
If security teams have an open-door policy with employees, they may find themselves reacting to fewer potential incidents, and helping users proactively mitigate risks before they escalate to become costly incidents. Employees are less likely to get frustrated with restrictive policies, and instead find a flexible way of working that keeps them productive and the organisation secure.
Even with a culture of cybersecurity awareness in place, malicious Insider Threat incidents can still happen. Potential motives for these types of Insider Threats could be financial gain, revenge, espionage on behalf of a nation-state, and more. However, if malicious insiders understand that there’s a clearly stated policy, along with a user and data activity monitoring solution in place, they’ll be less likely to think they can get away with data exfiltration attempts. In a perfect world, a corporate culture would be healthy enough that employees wouldn’t feel the need to exfiltrate sensitive data or misuse their privileges maliciously in the first place.