(Updated 02/03/2021)
Culture is the lifeblood of any organization, and it encompasses shared values, norms, beliefs and assumptions that ultimately drive employees’ actions. According to a study from HR consulting firm Mercer, U.S. companies faced an average of 22 percent turnover rate in 2018. The median number of years that an employee stays at a position, according to the Bureau of Labor Statistics, is 4.2 years, with employees aged 25 to 34 only staying 2.8 years. The era of lifelong jobs has come to a close, and security teams must be aware that a revolving door of employees could be putting their organization at risk of data exfiltration.
One way to reduce your risk in the face of this level of employee turnover is to build a strong and explicit security culture. A culture of cybersecurity awareness and responsibility can help prevent some insider threats from happening and increase the likelihood that others will be caught or reported. Moreover, a strong security culture instills employee trust in the organization, which can reduce both organizational risk and employee turnover. Here’s how to go about it.
1. Cybersecurity Awareness Can Prevent Accidental Insider Threats
According to insider threat statistics, two out of three Insider Threat incidents are caused by employee or contractor mistakes. The good news is, mistakes are preventable with the right training and a strong culture around cybersecurity awareness. If employees are totally in the dark about security policies, they’re more likely to make mistakes that could become costly insider threat incidents. Examples of common employee mistakes that could lead to incidents may include:
- clicking on a phishing link in an email
- using file-sharing software that isn’t authorized by IT
- emailing sensitive documents to a personal address to work on from home
An important first step toward a culture of cybersecurity awareness involves knowledge of corporate policies—not just the “What am I allowed to do?” part, but also the “Why does this policy exist?” aspect. People are more likely to follow through on a best practice when they understand the “why” behind it. A thorough review of organizational security policies, including a justification of why certain rules are in place to protect the organization, will often lead to more diligent employee behavior around security. Frequent reinforcement of policy—in the form of real-time alerts that explain potential policy violations or periodic policy reviews—can ensure that this guidance sinks in on a regular basis.
2. Transparency Increases Employee Trust
Establishing a foundation of trust is an important element of an effective insider threat program. For example, if your organization chooses to deploy user and data activity monitoring technology, be transparent with employees and clear in the corporate cybersecurity policy about how and why their actions will be monitored on corporate systems. If employees understand that the security team isn’t watching their every move, “Big Brother”-style, they may feel more comfortable with the idea of monitoring technologies.
In addition, some tools like Proofpoint Insider Threat Management (ITM) solution, allow user activity data to be anonymized to protect user privacy. ITM also gives organizations the power to decide exactly what they will monitor, and allows them to exclude things like social media activity, should they choose to. Every organization has different requirements and a different culture around privacy. For example, the ability to anonymize data is mandatory for certain regulatory compliance requirements, such as GDPR. So having control over what is monitored and communicating the boundaries to employees can be a good way to instill trust. If employees know that their privacy is important to the organization, they’ll be far more willing to respect company property and IT systems.
3. Security Teams Can Serve as Allies
Too often, the relationship between security and the rest of the organization can seem reactive and punitive. This dynamic may make employees less willing to point out a potential mistake they have made or report out-of-policy behavior they have witnessed. Employees may also feel hesitant to approach security teams with questions about policies, or ask for exceptions to the rules when they need them. The exact opposite should be true.
If security teams have an open-door policy with employees, they may find themselves reacting to fewer potential incidents, and helping users proactively mitigate risks before they escalate to become costly incidents. Employees are less likely to get frustrated with restrictive policies, and instead find a flexible way of working that keeps them productive and the organization secure.
Even with a culture of cybersecurity awareness in place, malicious Insider Threat incidents can still happen. Potential motives for these types of Insider Threats could be financial gain, revenge, espionage on behalf of a nation-state, and more. However, if malicious insiders understand that there’s a clearly stated policy, along with a user and data activity monitoring solution in place, they’ll be less likely to think they can get away with data exfiltration attempts. In a perfect world, a corporate culture would be healthy enough that employees wouldn’t feel the need to exfiltrate sensitive data or misuse their privileges maliciously in the first place.