Internal threats: the importance of culture to cyber security

Darren Guccione at Keeper Security explores the relationship between company culture and insider threat in modern cyber security

 

UK businesses are facing an onslaught of cyber attacks. Almost one in five (17%) are subjected to approximately two attacks every working day, according to Keeper Security’s 2022 Cybersecurity Census Report.

 

The situation is only predicted to get worse. 92% of IT leaders expect the total number of cyber attacks on UK businesses to increase next year, with 46% predicting the number of successful attacks to also grow.

 

This explosive growth in attacks is not going unnoticed, as IT teams are ramping up their security and spending in response. Keeper found 74% of IT leaders made new hires in cyber security over the past year and 50% increased spend on cyber security software. 68% expect their cyber security budgets to increase over the next 12 months.

 

But the efficacy of budget increases and investments will be limited if one crucial chink in firms’ armour remains. Many businesses are so preoccupied looking outward for danger, they forget one important point - they also face serious threats from inside.

 

An insider threat isn’t just about a disgruntled employee walking off with important passwords. Although employees do pose a security risk in this way, insider threats can be created with no ill intent. Undertrained team members, under-controlled access and a company culture of fear or confusion also represent significant inside threats to an organisation.

 

Company culture poses a significant risk, yet it is seldom talked about in security spaces. Alarmingly, Keeper’s census found that over half (55%) of IT leaders have been aware of a cyber attack and kept it to themselves, suggesting they didn’t report it to any relevant authority.

 

Those in the IT industry know that an unreported breach can have devastating consequences for a business, their partners and clients. It’s an open door for cyber criminals, who may even launch another attack down the line by leaving dormant malware in their networks. Businesses are robbed of the ability to fix a vulnerability and learn from an incident. 

 

Furthermore, if authorities are not notified, cyber criminals remain at large and can use the same tactics to target new victims.

 

If IT professionals want to protect against cyber attacks, they need to change this culture of secrecy. They must work to cultivate an environment of transparency, support and accountability, divorced from fear, in which every employee feels confident in stepping forward the moment an incident occurs.

 

Creating a strong cyber security culture also requires businesses to be strategic and intentional in their security training. Keeper found that 80% of IT professionals are concerned about a breach from within their own organisation- and for good reason- there’s still a worrying lack of knowledge about key security concepts, both among IT teams and across a wider business.

 

More than one in five (22%) IT leaders say they have ‘somewhat’, ‘minimal’ or ‘no’ understanding of the concepts of zero trust and zero knowledge in relation to cyber security and 29% say they fully understand them, but they don’t believe the rest of their organisation does.

 

It’s clear more education is needed and businesses must ensure they’re identifying and plugging the gaps in their company’s security knowledge.

 

An attitude shift is also needed in businesses’ approach to identity security. Keeper’s census found one third (32%) of IT leaders say their organisation leaves it entirely to employees to set their own passwords and employees often share login credentials - peaking at 37% among organisations with fewer than 1,000 employees.

 

This represents a huge insider threat to businesses, particularly in the age of remote working, where employees require access to company systems from a variety of locations, across a number of devices.

 

The minimum businesses should be doing is providing employees with guidance and best practices governing passwords and access management, while the safest path is to implement a sophisticated framework to govern access to their systems.

 

As cyber attacks continue to rise, businesses need to recognise where the danger is coming from. Insider threats pose as much of a risk as external threats, and for many, the current IT culture is making them extremely vulnerable.

 

If businesses want to protect their networks and assets, it’s only cyber criminals who should be left in the dark.

 

---

 

Darren Guccione is CEO and co-founder of Keeper Security

 

Main image courtesy of iStockPhoto.com