teissTalk: Where is your next negligent insider, and what risk do they pose?

On 25 May, teissTalk host Thom Langford was joined by  Jonathan Craven, Privacy and Compliance Lead, iRhythm Technologies UK; Kate Hiykel, Insider Risk Program Manager, Mutual of Omaha.

 

Views on news

Over three-quarters (77%) of organizations across US critical national infrastructure (CNI) have seen a rise in insider-driven cyber threats in the last three years, according to new research by leading cyber security services firm Bridewell.

 

The threat from within ranges from criminal intent to individual negligence, but those surveyed said an act of intentional destruction at the hands of an employee was committed on average at least every other week within the last year. Insider threat is happening all the time, the 23% that don’t report it are either not looking or looking for it at the wrong place. The nature of insider threat is also changing and sometimes comes from the most unexpected places. 

 

Remote working and a heightened level of multi-tasking can increase error margins further. The challenge about raising awareness regarding insider risk is preaching to the non-converted and educating them about what they should do and why. The article mentions desperation as one of the key motivations for insider threat. Users may be desperate to meet a deadline or get approval from leadership or they might just not report insider threat to get good reviews and the financial rewards that come with that. 

 

How can you make staff care about cybersecurity?

The two major causes of insider threat are negligence and malice. Negligence can be both wilful and deriving from ignorance. Generally, cybersecurity is seen by most of employees as an admin bolt-on to their core tasks. The most effective approach to educating staff is to make cybersecurity part of the workforce’s business as usual and tweak their business processes.

 

Cybersecurity professionals should offer employees the path of least resistance, explaining to them that if they do comply, their working life will become much easier. A privacy-by-design approach can reduce insider threat that results from negligence. Establishing a positive reporting culture can go a long way too.

 

Increase in reporting incidents is a good sign indicating that reporting culture is actually changing for the better. The C-suite has to show a good example by complying with the same rules as the rest of the company. They shouldn’t use ipads when the whole organisation is windows-based, for example. 

 

The panel’s advice

Bake cybersecurity compliance into what staff does on a daily basis so it becomes second nature to them.
Instead of annual cybersecurity training adopt a drip-feed strategy – sending constantly low-level reminders to staff. There are good solutions that can help you achieve this in a gentle way. Try to nudge them into good behaviour rather than expecting them to make a 90 degree turn. 

Have cybersecurity conversations with middle management, who, in turn, can pass on messages to the C-suite.