Trust and security are two sides of the same coin. As leaders, we have a responsibility to foster a culture of trust among our employees, and we have a responsibility to employees, customers and all stakeholders to keep our businesses safe and secure. But how do we foster a culture of transparency and trust when the greatest threat lurks behind our walls?
The vast majority of breaches — 85% according to Verizon’s 2021 Data Breach Investigations Report — contain a human component and often affect people who already have access to a corporate network: employees and other insiders.
The high cost of a breach — $4.24 million in 2021 alone, according to IBM’s Cost of a Data Breach Report — coupled with the often long downtimes following a successful attack, can easily lead to dramatic and far-reaching consequences that negatively impact data security Livelihoods of businesses impact every employee. Reducing risk by just two or three percent can result in huge savings.
SECURITY RISKS AND INSIDER THREATS
The vast majority of employees are good-natured, risk-taking, observant and hard-working. Of course they are. Recognizing and addressing insider threats doesn’t mean a company stops trusting its employees. Rather, it is advisable to protect the company itself and the employees who have a vested interest in the organization being able to continue in business.
Cyber threats come from both external and internal sources. External threats include hostile nation-states, terrorist groups, criminal gangs, and lone hackers. Ransomware is an example of a rapidly growing external threat facing organizations worldwide, along with other threats such as malware, social engineering, denial of service attacks, zero-day exploits, and other injection attacks.
While these threats are a clear and present danger to any organization, we focus on the internal threats posed by those directly connected to your organization such as: B. Employees, contractors or former employees. These individuals often pose the greatest risk to an organization’s security posture, whether knowingly or unknowingly.
Complacent actors are employees who have no malicious intentions but do not always remain vigilant by practicing good safety hygiene. They can become careless and unknowingly bypass standard protocols, like clicking a broken link in a phishing email. In fact, in a recent research study, two-thirds of remote workers said they failed to comply with their organization’s cybersecurity policies at least once every 10 workdays.
Disenfranchised actors in your organization don’t always start out with malicious intent, but they can eventually take harmful and destructive actions, such as: B. knowingly introducing malicious code into the network. These actors become malicious for a variety of reasons ranging from an organizational change to an event in their personal lives. They can benefit from the attack or just harm their employer – and the result is always costly.
Cyber criminals always look for the path of least resistance. One of the easiest ways to penetrate a network is to exploit a human vulnerability through phishing. This is why 96% of cyber threats are email based. All it takes is one employee—smug or disenfranchised—to click a bad link so attackers can gain credentials and gain access to your environment.
From a behavioral perspective, it is important to conduct internal cybersecurity awareness training for all employees from the C-suite down. Simulate a phishing email. Dust off the disaster recovery plan and run simulated training exercises to practice how to respond in the event of a breach. These are just a few basic elements that help create a culture of safety and resilience within an organization.
MINIMIZING RISK THROUGH ZERO TRUST
The natural next step in an organization’s journey to security and resiliency is to adopt a Zero Trust model. This “protect all, check everything” mentality assumes violations and trusts nothing as standard. Essentially, every user and device accessing network resources poses a potential threat and should be treated as such to minimize complacency threats and protect against malicious intent.
With Zero Trust, each user is authenticated, authorized and validated before being granted access rights. The process can be as simple as multi-factor authentication or a more sophisticated technology solution. When designing an insider threat program, Zero Trust should be the cornerstone. It mitigates harm by only granting authenticated users access to applications they need to perform their job tasks.
Building a culture of trust in a Zero Trust environment is not an easy task due to the nature of the architecture and the imperatives associated with its implementation. But as with many difficult concepts, clear and open communication is the best tool a company has.
Honestly communicating the need for enhanced security while being open about the intent behind active threat hunting can help ease some employees’ fears about the enhanced controls and lessen their apprehension when it comes time to begin implementation .
When implemented appropriately, Zero Trust can actively build trust between companies and their employees – confidence that all steps are being taken to protect the organization and safeguard the livelihoods of its employees by ensuring that the company can continue its business without interruption can.
Demanding a Zero Trust environment within an organization can challenge the contract based on trust, respect and expectations between the company and its employees. But understanding that this is necessary for organizational resilience and continuity turns this apparent chasm into a connection where all levels of the organization work together to protect everyone’s best interests.
Kevin Lynch is CEO of Optiv, the leading cyber consulting and solutions provider serving more than 7,000 companies across all major industries.