The ongoing Covid-19 pandemic continued to impact many companies not only from an economic aspect, but also from a risk management perspective. As an increased number of workers operated remotely, the methods in which security is applied evolves to address ways threat actors attempt to manipulate the “new environment.” The insider threat persists in both static and remote working environments, and management must be able to provide more effective security mitigation efforts to reduce potential threats. Improving employee knowledge and understanding should be first and foremost in implementing an effective risk reduction strategy.
Insider threat focus
Today, often the primary focus on insider threats remains in the cybersecurity realm, and rightly so in most cases. However, it is important to recognize the insider threat consists of physical elements as well, such as workplace violence, harassment, and theft of tangible products and proprietary information outside the cyber environment.
Businesses and individuals of 2021 are connected via a multitude of technological devices and platform, all designed to improve efficiencies and positively impact the bottom line. The consequences of data breaches are well known as every company is susceptible to both intentional threats as well as unintentional incidents. As such, the training and awareness methods focus predominantly on ensuring employees only open emails from trusted sources, refrain from downloading unauthorized applications and follow established security protocols. However, the usual training methods do not adequately address the potential for an insider threat in an organization especially while working remotely. The challenge therefore remains, how do you get employees engaged?
Obstacles to the Message
Prior to identifying ways to improve employee recognition of internal threat activities, and the larger issue of reporting the issue in some manner, it is important to first acknowledge some of the obstacles to greater engagement. Of course, the obvious issue starting in early 2020 and continuing today is the increase in number of employees working from home. The opportunity to “recognize” employee misbehavior or misconduct changed drastically in the physical environment. The cyber environment therefore has become the primary battlefield regarding digital thefts. However, even the physical environment changed due to fewer opportunities for employees, security personnel, management to recognize pilferage, etc. In essence, social distancing may have helped trusted personnel in their criminal activities with a decreased potential for observation.
Most notably, human behavior is the hardest obstacle to overcome in the hopes of improving personnel involvement in security. The reality remains that most people do not want to get involved. Remember, “snitches get stitches” goes a long way in deterring employees from providing information to management. In smaller companies and close-knit organizations, the fear of getting a “buddy in trouble” is a strong feeling, and difficult to overcome. The human behavior on the other end of the spectrum concerning apathy only compounds the obstacle. In every company, there are those who believe either it is not their job to get involved, or they just do not believe it could ever happen in “this” company. The false sense of security is a serious risk when management falls prey to this belief.
Techniques for Improvement
Improving security awareness and employee engagement in hopes of identifying and responding to the insider threat requires much more than empty words and threats. Insider threat is truly difficult to detect, especially depending on the type of activity or behavior. Regardless of whether the insider theft impacts physical inventories, customer support, and the bottom line, or threatens proprietary information, or even the physical well-being of a person, the recognition of behaviors is the key. Those behaviors however are not restricted to just the insider, but also relate to the behaviors of management to improve awareness and engagement.
First, educating employees, and other shareholders as appropriate, on what constitutes a suspicious behavior must be completed. Should employees report when another employee is found reviewing files outside his or her department? Is downloading of sensitive documents on jump drives not permitted? Are employees permitted to take discarded product or materials home for personal use? Do any of these, or similar actions, constitute a suspicious behavior? Management should routinely have those discussions, and not simply repeat the same message every year at training time.
Second, to help overcome inherent apathy, management should identify how misconduct, and especially insider theft, impacts not only the company, but also the employee. If most employees feel they are there for a paycheck, show the employee how theft impacts their wages and benefits. Ensure the explanation of the impacts include a statement indicating the damage to the company reputation often is more critical than the actual dollar loss.
When employees feel they are only there for a paycheck, the challenge for management is significant. Management must set the tone for the level of tolerance within the company by establishing what is allowed. The most effective approach dictates any theft, threat or misconduct will not be allowed. The Human Resources and Legal Departments are crucial to ensure employee rights are observed and must be involved in the development of company standards. To encourage employees to report concerns of internal threats or misbehavior, management must establish a mechanism to report violations that serves to protect the identity of the reporter while reporting legitimate concerns. Utilizing a third-party to handle ethics complaints can address employee concerns regarding potential releases of information and identities.
Most importantly for employees, the leadership must establish the culture and Lead by Example. Every new and 20-year employee wants to feel appreciated which then fosters the feeling of “ownership” by the employees. Management must demonstrate a genuine appreciation for workers at all levels. Employee apathy grows when employees are asked to do one thing while management fails to follow the same path. If management wants employees to be properly engaged to appreciate the potential for the insider threat, establish the culture from top to bottom.
Conclusion
The threat from insiders is real and must be taken seriously by security leader and every company. The threats may manifest themselves in many ways, from a disgruntled employee stealing product, to an overly aggressive co-worker, to an employee working for a foreign government. Management’s greatest resources to first identify behaviors indicative of this threat are other employees. However, for security awareness training to be taken seriously, management must ensure the work environment supports buy in from the employees.
Security awareness training is all too often disregarded by employees because management failed to establish the mutual appreciation necessary to overcome an apathetic workforce. Just as the safety culture and statistics in the workplace improve when management reinforces the message, the same can occur regarding security education and the insider threat when companies take the appropriate steps to make their employees the ultimate force multiplier.