Although nothing new (recorded during the 10 year siege of the City of Troy), the insider risk is still identified as the most significant risk to business.
However, companies still underestimate the importance of mitigating this risk.
The changing reliance on portable technologies and increased reliance on internet-connected technologies has only increased the risk, and potential accessibility to unauthorised persons.
Over 80% of data breaches are caused by insiders (Source: BI Intelligence)
Actions of the end-user can be deliberate (bypassing the inconvenient countermeasure) or accidental (poor understanding), which may leave an organisation vulnerable.
Organisations see the significant benefits of having a more flexible, mobile and readily connected workforce but are mostly ignorant to the associated risks.
Technology is advancing at such a pace, allowing masses of data to be instantly transmitted and readily stored for infinity. Modern life has become one of ever changing system & software updates and new ways of doing business. A far cry from just 30 years ago, when technology was extremely expense and only the very select few were deemed worthy of such technologies. As a result, a business perimeter is far more fluid with a greater number of doors/windows that need to be managed, to restrict access to only authorised personnel.
The more people who are granted access to this dynamic technology (keys to the perimeter gate), the greater the risk of someone leaving a door/window open, allowing someone to 'piggy back access or being duped into giving a copy of their key to a complete stranger.
'Cyber-Aggressors' are continually looking for opportunities to exploit ways into someone else's IT systems, sensitive or personal data assets.
Managing the balance between keeping IT systems operational, keeping employees productive and mitigating the insider risk is extremely difficult to manage and gets substantially more difficult with greater reaching territories (different languages, cultures, legislations, etc.), asset criticalities, volumes of IT assets/applications.
Mitigating the insider risk needs to be far more than a tick the box (e.g. once a year training) approach, where the business recognises the importance of continual awareness/refresher and familiarisation training. For example, if you are an organiation that relies heavily on the use of email shouldn't you be training and testing the email users on the dangers and the safe practices?
Just like drivers expect to comply with the 'rules of the road' and to drive with due care and attention (for the protection of themselves and others), should you be instructing the email users on the 'rules of the email'?
This is more than just writing a supporting policy and procedure, to be published on the company intranet and to be never seen again. Engage your workforce, making it relevant to them and helping them to feel that they are contributing to the safety of the business, themselves and others.
Define a security awareness strategy, where departmental 'Champions' are encourage to help contribute to the development of this strategy.
Develop a myriad of training mediums (E-learning, Face to Face Presentations, Breakfast Clubs, Roundtables, Posters, Newletters, Quizzes, E-Mails, etc.). Ensures the topics are interactive, relevant and appropriate to the target audience. This can often be the most difficult and time-consuming concept of security awareness modules, so consider the potential benefits of subscribing to an e-learning subscription.
Incorporate InfoSec into project management, to enable timely familiarisation training for newly introduced IT systems or applications.
Do not focus on delivering business only security awareness topics. Consider including topic areas that will provide employees with additional knowledge, which will help them enhance the knowledge of their families. Knowing that their employers are helping to protect them at home, as well as the business, will improve the receptiveness of your audience.
Include topics of recent or known incidents, that have targeted or impacted other areas of the business (Develop the knowledge of your wider audience through lessons-learned)
Consider the potential of bringing in seasoned InfoSec professionals, to deliver the informative and interesting, upto date presentations.
Develop policies and procedures that are concise, relevant and provide clear instruction/guidance on what is and what is not acceptable.
Recognise the potential benefits of effective user security awareness training and ensure that adequate time is allocated and scheduled in to provide sufficient continual training. The short-sighted view is that stopping personnel from doing the job, impacts the company profits. This is far from the truth, as the cost of recovering from a security incident or data breach could have a far great impact.
The greater the number of trained 'Eyes and Ears' you have, supporting your IT systems alerts, the greater chance you have of identifying suspicious or malicious activities.
The majority of people are concerned by the ever-present threat from 'Cyber-Aggressors' and do not want to be responsible for making a mistake that may lead to a data breach. Consequently, they will appreciate the business' investment to help them understand the dangers they may be facing and how to mitigate them.
Effective training will help re-enforce what is good practice, reminding them of the appropriate policies/procedures and the potential repercussions of ignoring these rules and putting the company, and others at unnecessary risk.
Think of every employee with access to your IT systems/applications and data as someone carrying a key to your estate.
Are the allowed to leave the key in the lock?
Are they allowed to share the key with others?
Do they know how to act when a con artist comes knocking at your door?