Trust and security are two sides of the same coin. As leaders, we are responsible for cultivating a culture of trust with our employees, and we have a responsibility to employees, customers and all stakeholders to keep our businesses safe and secure. But how do we foster a culture of transparency and trust when the greatest threat is within our walls?
The vast majority of breaches (85% according to Verizon’s 2021 Data Breach Investigation Report) contain a human element and often involve people who already have access to a corporate network: employees and other insiders .
The high cost of a breach – $4.24 million in 2021 alone, according to IBM’s Cost of a Data Breach report – coupled with the often long downtime that follows a successful attack can easily lead to dramatic and far-reaching consequences that negatively impact every employee’s livelihood. Reducing the risk by even two or three percent can yield huge savings.
RISKS RELATED TO COMPLACENCY AND INSIDER THREATS
The vast majority of employees are good-minded, risk-oriented, observant and hard-working. Of course they are. Recognizing and dealing with insider threats does not mean that a company no longer trusts its employees. It is rather prudent to protect the company itself and the employees who have a vested interest in the organization being able to continue doing business.
Cyber threats come from external and internal sources. External threats include hostile nation states, terrorist groups, criminal gangs and individual hackers. Ransomware is an example of a rapidly growing external threat to businesses around the world, along with other threats such as malware, social engineering, denial of service attacks, zero-day exploits and other injection attacks.
While these threats represent a clear and present danger to any business, let’s focus on insider threats that come from individuals directly connected to your organization, such as employees, contractors, or former employees. These people often pose the greatest risk to an organization’s security posture, whether knowingly or unknowingly.
Accommodating actors are employees who do not have malicious intent but who do not always remain vigilant in observing good security hygiene. They can get careless and unknowingly bypass standard protocols, like clicking on the wrong link in a phishing email. In fact, in a recent study, two-thirds of remote employees said they violated their company’s cybersecurity policies at least once every 10 business days.
Disenfranchised actors in your organization don’t always start out with malicious intent, but they can eventually take damaging and destructive actions, such as knowingly introducing malicious code into the network. These actors become malicious for a myriad of reasons, ranging from an organizational change to an event in their personal life. They can profit from the attack or simply want to harm their employer, and the result is always costly.
Cybercriminals will always seek the path of least resistance. One of the easiest ways to break into a network is to exploit a human vulnerability through phishing. That’s why 96% of cyber threats are email-based. All it takes is for a complacent or disenfranchised employee to click on the wrong link for hackers to gain credentials and gain access to your environment.
From a behavioral perspective, it’s important to have internal cybersecurity awareness training for all employees from the top down. Simulate a phishing email. Dust off the disaster recovery plan and perform mock training exercises to practice how to respond in the event of a breach. These are just a few fundamental elements to help create a culture of safety and resilience within an organization.
MINIMIZE RISKS WITH ZERO CONFIDENCE
The next natural step in an organization’s journey to security and resilience is to adopt a zero-trust model. This “protect everyone, verify everything” mindset assumes breaches and trusts nothing by default. Essentially, every user and device accessing network resources represents a potential threat and should be treated as such to minimize threats of convenience and guard against malicious intent.
With Zero Trust, each user is authenticated, authorized and validated before being granted access privileges. The process can be as simple as multi-factor authentication or a more sophisticated technological solution. When designing an insider threat program, zero trust should be the cornerstone. It mitigates the damage by granting only authenticated users access to the applications they need to fulfill their job responsibilities.
Building a culture of trust in a zero trust environment is not an easy task simply due to the nature of the architecture and the necessities involved in its implementation. However, as with so many difficult concepts, clear and open communication is the best tool any business has.
Honestly communicating the need for increased security while openly explaining the intent behind actively hunting down threats can help alleviate any fears some employees may have about enhanced measures and lessen their apprehensions when it comes time to start dealing with them. enforce.
When properly executed, Zero Trust can actively increase trust between companies and their employees – trust that all steps are taken to protect the organization and safeguard the livelihoods of its employees by ensuring that the business can continue to do business without interruption.
Calling for a zero trust environment within an organization can challenge the commitment based on trust, respect and expectations between the company and its employees. But understanding that it is necessary for organizational resilience and continuity transforms this apparent divide into a connection where all levels of the company work together to safeguard everyone’s best interests.
Kevin Lynch is the CEO of Optiv, the leader in cyber consulting and solutions serving more than 7,000 businesses across all major industries.