Security threats are one of the biggest concerns for any business today. However, despite the increased investment in the latest technology solutions - from firewalls and antivirus filters to advanced intrusion detection and prevention systems - the number of incidents continues to increase.
While criminal elements are always looking for new ways to bypass defenses, it remains true that for many companies, the biggest weakness they have is their own workforce. According to Verizon, more than a third of all publicly-reported data breaches (34%) are the result of insider threats. But as up to 70% of insider threats are never reported externally, the true figure may be far higher.
The security challenges posed by insiders
When people think of insider threats, they may imagine disgruntled employees looking to do damage or extract valuable information from databases they may or may not have access to. But so-called malicious insiders only make up a relatively small percentage of these threats. Indeed, according to the Ponemon Institute's 2020 Cost of Insider Threats Global Report, only 14% of incidents are the result of criminal insiders.
The biggest dangers come from two other types of insider threat - compromised users and careless users. The former consists of those who may have inadvertently downloaded malware or shared sensitive information with the wrong person, and they can be especially dangerous for firms, as neither the user nor the IT department will know about the breach.
Compromised users often overlap with careless users. Following a link in a phishing email that instructed them to enter login details into a phony website is certainly careless, for instance, and leads to confidential data being compromised. But it can also cover everything from sending email attachments to the wrong recipient to leaving an unencrypted laptop on a train.
The cost of insider threats
Insider threats, whether accidental or deliberate, are one of the biggest and fastest-growing security threats faced by any business. The Ponemon Institute's research notes that the number of incidents reported has increased by 47% since 2018.
More importantly, the costs of dealing with these incidents are also on the rise. Since 2018, these expenses have risen by 31%, with the average large business spending $11.45 million to detect, contain and investigate their threats.
However, this rises sharply the longer it takes businesses to respond. On average, incidents that are dealt with within 30 days cost firms $1.12 million, while those that take 90 days to contain cost $13.71 million. And as it takes an average of 77 days to contain an insider incident, this shows how important it is to react quickly and avoid simple mistakes.
Key steps in establishing a security culture
The best way to prevent insider threats is to instill a culture of security throughout the business. However, this is about much more than the occasional training session reminding people of their responsibilities. A good culture needs to be an everyday part of life at a business, and should affect everything people do. Here are a few things to keep in mind to make this a reality.
1. Start at the top
No security culture can succeed unless employees believe that it applies to everyone, and this means starting at the top. Privileged users, including IT teams and senior executives, need to set a positive example for other employees. This includes following the same rules as everyone else - no exceptions where it might be more convenient to bypass a security requirement.
Training is a vital part of building a security culture, but it has to be done in the right way. Occasional lectures where employees are given a list of dos and don'ts - often without context -won't be effective in getting the messaging to sink in. Instead, be sure to link back policies to real-life examples so employees can understand the reasons behind them, and make it fun and engaging, with quizzes and interactive elements.
Reinforce the messages you put out in training by encouraging staff members to share anything interesting they find or flag any suspicious activity they come across. For instance, if someone receives a suspicious email, warning other people via chat about what to look out for (without sending around the potentially malicious email itself) can be a good way to keep security in people's minds on a day-to-day basis.
You should also look for opportunities to reward people for their success. This could be as simple as offering a small price for the top performers in security quizzes or simulations, or something more substantial such as incentives for people that alert the IT team of any potential vulnerabilities, or even offering personnel the chance to make security a part of their career development, by encouraging people to gain qualifications and make this a part of their role.