Security Training and Awareness: The Missing Piece of Your Insider Threat Program
When you hear the phrase “insider threat,” what’s the first thing you think of?
If it’s double agents hidden inside your organization exfiltrating reams of data, you’re not alone.
A recent Wall Street Journal survey found that 67% of cybersecurity executives across 400 companies surveyed are concerned about malicious employees intentionally harming their companies. The bigger the company’s revenue, the more likely they were to consider malicious insiders a threat.
This level of concern is no surprise. Bad people secretly doing bad things inside your company are definitely something to worry about.
And this sort of insider threat doesn’t even have to be part of a massive scheme to bring your company down. Someone whose hours were cut or had to be laid off, given the right access credentials, could have just as devastating an impact on a bitter whim as some grand plan to steal millions of dollars.
But thinking of “insider threats” only as bad people doing bad things could mean you’re missing an opportunity to influence the other side of that coin: employees who simply make mistakes.
Industry research suggests insider threats are predominantly made up of well-meaning employees who took an incorrect action unintentionally.
The 2020 Verizon Data Breach Investigations Report cites credential theft, social engineering attacks, and errors as the top three causes of breaches analysed in the report. A Ponemon Institute/Proofpoint study of insider threats found 63% of attacks they studied pertained to employee or contractor negligence (“negligence” might be a little more serious than “accident,” but you get the idea).
Turn Insider Threats into Insider Heroes
These people, your employees, are generally on your side. At the very least, they know doing the right thing as often as they can is the best way to stay employed. They are not problems to be solved, but teammates to be empowered.
The key is to harness this goodwill for the benefit of the entire company.
How do you do that?
Since we’re talking about people, this means building a security training and awareness program that engages and inspires. Training that makes everyone feel like part of the team.
Here are some ideas on how to take this approach to security training and awareness.
See Something, Say Something
Can you train a malicious person to keep them from doing something malicious? Of course not. Someone with a serious enough desire to burn something down will likely find a way to do just that.
It’s everyone else, the “good employees,” security training will influence. Here we’re talking about a strong culture of incident reporting; the classic “see something, say something” mentality.
Implement training that frames incident reporting as working toward the greater good, and that positions the “common” employee as an important part of your security posture. This goes for both reporting suspected malicious incidents by coworkers and those that seem like simple mistakes.
Some key points to hit in this type of training include:
- What constitutes a security incident
- How to report incidents
- Identifying incidents occurring in both digital communications and physical workspaces
- What actions should be taken once an incident has been reported to help mitigate its effect
Supportive, Not Punitive
If you want a culture that encourages people to report, you have to be friendly.
Few employees will want to engage in your incident reporting process if they fear it will just lead to a hand slap. If they’re scared of what the response from the IT/security team might be, well-intentioned employees might want to take matters into their own hands to try to solve the problem themselves. If your hair stands on end at the mere thought of this scenario, you know what a big problem it can be.
Simply put, you can’t be the scary, mysterious security function that people don’t want to engage with.
If you’re running a punitive training program, more stick than carrot, if you’re using hackers in hoodies and binary floating around the screen, you won’t get the engagement you need from your employees.
This goes beyond specific training tactics, though, to the larger concept of humanizing the security function at your organization. If your people can put names to faces, they’re more likely to feel comfortable raising the alarm if something seems amiss.
A CSO I once worked for tasked me with this very “humanizing” task. Letting the employees we served get to know us as people so they’d feel more comfortable engaging with us. We used “employee spotlights” featuring different members of the security team, so people could get to know us.
We’ve seen messaging campaigns that highlight transparency and human connection as well-received in “in these trying times,” (yeah, we’re sick of that phrase too, but it still applies), so you might want to take advantage of the mood and open the curtain on the security team. Security and IT folk are people too!
Tell Me What’s Wrong
I try not to talk about learner engagement without mentioning the ability to measure if your training and awareness efforts are having an impact. No training initiative should be without a way to track how things are going, both for your own edification and that of your bosses.
Fortunately, when it comes to managing insider threats, the metrics are relatively straightforward. First, get a baseline of your incident reporting and ethics hotline reporting before training content is deployed.
As your program runs its course, check if these reports increase as training progresses and in the months following. More reported incidents means your employees have developed sharper eyes for suspicious activity (not necessarily that more incidents are actually happening!).
Consider meshing this information with SIEM or DLP data to identify potential decreases in time to detection. Also, look for increases in the number or percentage of incidents detected and resolved before any harm occurs.
Engaging training is all about what impact it has on your employees actions. There are few metrics you can track that tell as clear a story of training and awareness success as improvements in incident reporting.
The right approach to security training and awareness can both keep your valued insiders happy and defend against those who would intentionally do your company harm.