According to last year's Accenture/Ponemon Institute study, the most recent annual increase in costs for cybersecurity was 22.7% (specifically in the USA), with over 130 security breaches per year, increasing at the rate of 27.4% per annum.
Given these alarming statistics, it is curious and indeed antithetical that a nation that leads the world in both innovation and technology, is victimized so frequently with poor cybersecurity. However, the cybersecurity industry (and too many companies with valuable IP) seem to look right past the best and least-expensive method to mitigate these threats.
In our collective rush to create another algorithm or design yet another complex software suite to counter the malicious insider or the persistent state-sponsored threat, we seem to be ignoring what is right in front of us.
What is it we are missing? The creation of a culture of an informed, empowered and committed workforce, fully appreciative of the threat and knowledgeable of the signs of concerning behaviors on the part of co-workers, and specifically what to do and whom to call in the event they see something suspicious or worrisome.
Coupled with enthusiastic corporate leadership and a demonstrated commitment to ensuring that essential training and education of the workforce takes place; I believe that enthusiastic inclusion of training will make the difference. If there is little or no perceived commitment by the directors or CEO, then the likelihood for success is almost nil, as the effort will be perceived as just another exercise and ‘block-checker’ directed by management.
Training should be an investment in your great workforce, and needs to be regularly scheduled and part of the culture, or even more frequently as the risk/vulnerability calculus suggests.
Employees with a true sense of ‘ownership’ are the best first line of defense against the myriad of cyber, physical and increasingly sophisticated social engineering threats arrayed against them. After all, they are protecting their own jobs by protecting the company’s intellectual property, reputation and future financial success.
Unfortunately, the default position of human nature and the prevailing attitude is more in line with what I noted in an article published by Fortune magazine several years ago, where it stated that only a minority of employees are 'engaged' in their work.
Just for fun, the next time you go into a big box store, or even a very high-end boutique store, take a moment to assess the demeanor and attitude of the employee you encounter – try to get a sense of their ‘ownership’ of their department, section, or the store as a whole. If your experience is anything like mine in too many experiences, you will come away wondering how sad it was to see their apathetic demeanor: this is the opposite of an engaged workforce!
So what does all this mean? You and your security team have an uphill battle trying to establish and maintain this true sense of ownership: it will require work; it will require you and your staff getting out and mixing it up with the workforce; it might even require your team creating rewards and other incentives for them to highlight vulnerable or unworkable, unrealistic systems, policies, or procedures.
A sterile, bi-monthly ‘security awareness’ meeting is not going to be enough to change the culture. If the workforce is valued, then invest in them and train them as if the future of the company depended upon it. It may well.
In today’s highly interconnected workplace, there is a clear requirement for best-of-breed software - threat detection software that analyzes behavior patterns is among the most sophisticated and creative of these.
The key to turning the tide of these threats is tailored and compelling awareness training for employees and managers, taught by approachable and experienced security staff. Why? Because it is all about the people. Here are a few ideas:
- Educate and train employees quarterly or semi-annually on security, and on what the latest threats ar
- Ensure that proprietary information is protected and limit access to those systems staff needs to do their jobs. When employees leave or change jobs, promptly revoke access. Conduct careful exit interviews of those leaving under acrimonious circumstances and with elevated access to sensitive company data.
- Undertake comprehensive due-diligence research, social media, and background checks before hiring new employees.
- Provide non-threatening, convenient ways for employees to report suspicions.
- Routinely monitor networks for suspicious activity. Publish anonymized results of audits so employees will see that policies are being enforced – this will serve as a strong deterrent to those who may not always “do the right thing when nobody is looking”. On the other end, reward those employees who are of service to their fellow employees and the Organization.
Will this proven method of engaging the workforce to be partners with HR, managers, and security result in increased vigilance and identify the next disgruntled employee? My own review of past espionage cases suggests that many, but not all, display indicators that should have (and sometimes did) arouse concerns on the part of co-workers and were reported.
Not all culprits display such indicators to co-workers, which is why sophisticated data encryption, two-factor identification and threat detection software that is behavior-based is also critical to meeting the threat.
While there is much to be said for a blended approach to this issue, we cannot afford to ignore the single most powerful defensive tool our security toolbox – fellow employees who are aware of the various threats, understand basic warning signs of concerning behavior, and know who to call in order to possibly avert the next data breach.