So your clients are concerned about cyber security, they have a firewall and have invested in security technology to keep external hackers out of their systems. Despite these investments cyber incidents keep happening, what is going on? Your client is likely being affected by insider threats, both negligent and malicious. An insider threat is anyone with privileged access to data who can cause a security breach resulting in financial and potentially physical damages. Insiders can be employees, contractors, past associates, and vendors. Anyone who needs access to protected data is a potential insider threat. Most high profile cases where insider threats were the cause involved a negligent employee opening a malware laced email. That’s all it takes, one privileged person providing access to sensitive data to unauthorized users and a whole organization can go down.
Why the focus on insider threats? According to Crowd Research Partners annual study more than half of cyber attacks experienced by organizations were due to insider threats. Additionally, up to 90% of organizations feel vulnerable to insider threats. Part of this has to do with how security has been framed to the general public. When you discuss security with an average manager or executive, usually they have a perimeter type of security in mind. The traditional way of discussing security was that one should secure their perimeter by having access control points and ensuring that nothing could get in. In today’s world though this type of security is no longer enough. No matter how many firewalls are in place they will not protect an organization from an insider threat. Now there is a need for a more comprehensive security approach that takes into account both insiders and outsiders.
The primary reason for this is because of the format that data now exist in, digital. When data was primarily on paper, insider threats were still an issue but they were much harder to execute, and often it did not involve stealing every single document in your organization. When data became digitized, theft became much more efficient and quicker. No longer was data in a physical medium that one could keep safe in a room or near a desk. Now data was on a server, and could be replicated. So when data theft happens now, it is not the original files they steal, but copies of that data. Theft usually happens in only a few seconds, that is all it takes to steal every document an organization has now. With this rise of efficiency in the theft of documents came the rise of insider threat significance.
Step 1: Prepare, Prepare, Prepare
Before engaging with a client about cyber security and insider threats ask yourself how you’re going to center the discussion around them. On the surface it may seem rational for anyone to increase their security to protect their assets, but this ignores a lot of what actually runs through a manager’s mind. If the business is small or medium sized they may just assume that they are too small to ever be targeted by hackers, or that their employees are trustworthy and thus need no surveillance.
Step 2: The Security Paradigm & Big Picture
When talking to clients you will need to know their level of understanding when it comes to security in order to know where to start the conversation. If they have stated how much they have invested in IT security, question what technologies they spent their money on and why. Listen closely to see if they talk primarily about keeping threats out or securing their systems from within. If they talk about keeping threats out then it is time to discuss why perimeter security has become obsolete. Be sure not to be rude or condescending in your discussion. Frame total security as an “area of opportunity” or something along those lines. The goal is to build and expand on top of what the client has already established for their own context.
Step 3: Introduce the Insider
Once a client has an understanding of the big picture it is time to make the conversation slightly more personal. Introduce the concept of the insider and use hypothetical scenarios that real people can do to their organization. Use the environment you are in to demonstrate this. For example If you are sitting with a client, ask them about what data they wouldn’t want falling into the wrong hands. Once they answer then talk with them about who has access to that data and the various ways they share that data. It is important to then introduce examples of how their data could be accessed without authorization by way of negligence of through malicious intent. Make sure to mention phishing, stolen credentials, and malware on the web. Once the person has an understanding of insider threats then move to trust and security.
Step 4: Trust vs Security Culture
Some businesses may be hesitant to discuss insider threats further due to the misconception that if they are more secure they they trust people less. If this happens be sure to reassure the client that their employees will understand the need for security. Try to keep the conversation focused on the business’s integrity, financial risk, and stakeholder confidence. This is important to establish to keep managers focused on maintaining the business. Work with the client to understand the concept of a security culture at work that gets everyone involved in security. This way employee gradually get used to increased precautions being taken at work against insider caused data breaches.
Step 5: Provide Resources
Lastly you want to provide clients with resources to understand more about insider threats. Depending on the client you may want to not just provide them to managers but to the IT department as well. Such resources include CERT’s guides which can be a heavy read at times for managers, but the IT department will find great use from it. Encourage managers to discuss insider threats with IT and follow up.
The key to discussing insider threats with clients is in making sure the discussion is contextualized around their unique situation. This makes the threat much more present and real to them. Do not try to scare them though and make your client lose trust in everyone they work with. Instead encourage clients to develop organization-wide practices to counter the threat of insiders. Some of these include an insider threat program, permissions management, and encryption to name just a few. Be sure to explore all options that you can present to a client and make the case to guide them into accepting it. Click below to learn more about Teramind.