People are any company’s greatest asset. People build the systems, people run the systems, and people are responsible for keeping a computer network safe. People can also pose many types of threats – whether accidentally or intentionally. Because of this, it’s important to be aware of and limit insider threats in your organization.
We have a few ideas about how to do this. All of them are standard best practices in cybersecurity, so you may have heard them before, but here we also include the reasons why this matters.
Build trust. Keep building trust. Make it a culture.
Building trust is a common discussion for a reason. It is crucial to the survival of teams and organizations. Without it, communication is often fragmented and employees are more likely to become disgruntled. For leaders, this includes:
Clearly casting your company vision and communicating with employees. Setting the security culture with your actions.
Helping team members to see their role in the mission, and to see their role in security – whether their title is technology-related or not.
Listening when people provide feedback. Leaders who listen and collaborate with their teams are building relationships of trust.
Security culture has been a hot topic lately. This is because insider threats are very real. All of these practices above are designed to build trust and create a culture where the team’s ideas, customs, and social behaviors make a company more secure (definition thanks to Perry Carpenter and Ki Roer via the National Cybersecurity Alliance).
Carpenter and Roer say that security culture can be measured by:
These terms lay out a process for engaging employee mindsets that lead to action.
We should not assume that every device user has the proper tools to stay safe online. In fact, 62% of users surveyed say they do not have access to cyber training. To limit insider threats, we must give the right tools and training to those insiders.
Cybersecurity training has been proven to increase user awareness and security behaviors. For example, 58% of participants surveyed report they are better at recognizing phishing messages, and 40% started using MFA (multi-factor authentication).
Separation of Duties
Separation of duties is a way to provide protection for everyone involved inside the organization. This ensures that no single person or group has full control over the network, so it protects the company.
The individuals within the organization are also protected from accusations of improper action, since accountability is provided and one person or team does not have complete control. Separating duties will ensure that business operations can continue smoothly if a team member departs or is on vacation.
Policies & Technical Controls
Good policies regarding access to sensitive data are important, but so are the controls that give teeth to these guidelines.
Policies can include both written documents, which direct user compliance, and network settings, which ensure technical compliance. In many cases, the company goals are best achieved by using both.
Written documents include a number of policies about who can access information and how, what should happen to mitigate an emergency/data loss situation, and how data will be recovered in case of loss. We detail these in this blog about the importance of documentation.
Enforce Job Rotation and Mandatory Vacations
Rotate employees fully into and out of different jobs. This practice is valuable to cross train employees who can help provide knowledge and role redundancy in case of an emergency. It promotes understanding across departments and roles, and it may just break down some of those pesky silos we keep talking about in the security world.
Job rotation is also important to detect fraud, theft, and misuse of organizational resources – when a staff member is replaced in a role, the successor will notice if a policy has been violated or if anomalous activity has occurred.
Everyone needs a break. Don’t let anyone tell you otherwise. Vacations should be mandatory and regular, to protect staff from burnout and cultivate a healthy workplace culture. Maintaining a good work/life balance should be celebrated, not punished.
Above all, the best cyber defense against insider threats is to value people. Cheer on their success, their security victories, and their importance to your team at every opportunity. Cybersecurity awareness starts with people. Investing in your team and their skills will only improve safety for everyone.
We at StandardUser Cybersecurity are on a mission to share cybersecurity and cyber safety education with everyone, to make our world a better place. Are you with us? How can we help? Let us know today.
Whatever your cybersecurity challenge, we can help you keep your business running. We are a defensive and offensive cybersecurity company, using over 30 years of experience with active commercial and government work and proven security methodologies. We also educate teams and professionals who want to build on their skills. Occasionally we communicate with cybersecurity memes.
We set the standard for cybersecurity excellence.