When Awareness is the Best Defence

How better employee training can help eliminate the growing insider threat

While businesses of all sizes put significant time and money into battling breaches by outside actors, helping empower the people we work with is just as important, as they’re faced with data and security challenges on a daily basis.

Mention ‘insider threat’ and people will naturally assume you’re talking about rogue employees motivated by greed, malice, politics or revenge to steal sensitive information, sabotage IT systems, or corrupt important data. But, while Edward Snowden and Panama Papers-level events drive lots of press coverage, breaches enabled by error or carelessness on the part of employees and suppliers actually pose the more persistent risk.

According to the Ponemon Institute, security breaches caused by insiders cost the average business as much as £6.9 million per year — more than twice the average cost of other breaches. IBM says insider threats are the source of 60 per cent of cyber attacks. Freedom of Information requests sent to the UK Information Commissioner’s Office show that employee error caused nearly half of all breach incidents reported over the last three years.

With the threat growing in both scale and complexity, it’s no surprise that more and more organisations are looking to create a culture of cyber-security at work. Re-thinking how security training programmes are structured and delivered has to be a cornerstone of that effort.

The enemy is … us?

With their access to systems and facilities, insiders have the power to leak intellectual property, disrupt operations, damage company reputation, and expose sensitive information to third parties. This can happen maliciously, or as a by-product of carelessly sharing passwords, clicking questionable email links, leaving USB sticks lying around, or being generally lax in observance of security policies.

Better training is key to tackling the intentional and unintentional types of insider threat, both to make staff aware of their own actions and sensitise them to signs of adverse behaviour in others.

In order to be effective however, any programme of cyber-security awareness has to take into account the huge variability in human behaviour and motivations. That can start by classifying the main categories of insider threat:

1. Breaches caused by basic negligence are the most common, and also the most difficult to catch. Employees in this category might well exhibit outwardly secure behaviour and generally stick to company policy, but cause breaches out of occasional error or misjudgement – for example storing sensitive materials or IP on insecure personal devices, or carelessly clicking a phishing link.
2. Next is the criminal insider who intentionally exfiltrates data or commits other malicious acts for personal gain or financial reward. A Gartner study found that more than 60 percent of criminal insiders were ‘second streamers’ – people looking to supplement their income.
3. Disgruntled employees who deliberately damage systems, corrupt data, or steal intellectual property also pose a costly risk to businesses. The same study by Gartner found that 30 percent of employees took proprietary information with them after leaving a job.
4. Finally, a small but significant percentage of any organisation’s workforce will be comprised of non-responders to security training. While these employees may not intend to behave badly, they are a serious concern as they can fall into consistent patterns of negligent behaviour.

Re-thinking security awareness training

Training is an essential weapon in the battle to eliminate insider threats, but too often employees go through a classroom course, sign a form and consider the task complete. Simply repeating sessions on a regular basis can be ineffective as staff become bored or overloaded with information. Attendance is not a metric of success. Nor should they simply be an IQ test with a pass rate of ‘X per cent’.

Building a programme around real-life exercises and simulations tends to be much more effective, engaging each employee individually with practical and intellectual challenges that help expose how they would act when confronted by a potential threat. Placing employees in real-world situations also helps eliminate perceptions that the new security push and any additional software measures you’ve implemented are part of a witch hunt. When a policy is seen in situ, it adds validity and also makes it more memorable.

Harvard Business Review has said that better training is the best cyber security investment a business can make. That includes training for everyone from executives to employees, but should also take into account ‘outside insiders’ like contractors, consultants, and trusted vendors.

With the frequency of insider incidents on the rise and high street names like Morrison’s facing liability for the data breach of a disgruntled employee, training designed to address insider threats needs to become a standard part of security awareness programmes. Embedding personal cyber sensitivity in staff and suppliers will go a long way to mitigating and containing incidents.

Want to learn more about empowering your employees security defences?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.