Trust and security are two sides of the same coin. As leaders, we’re responsible for cultivating a culture of trust with our employees, and we have a responsibility to employees, clients, and all stakeholders to keep our businesses safe and secure. But how do we foster a culture of transparency and trust when the greatest threat is inside our walls?
The vast majority of breaches—85% according to Verizon’s 2021 Data Breach Investigations Report—contain a human element and often involve people who already have access to a company network: employees and other insiders.
The high cost of a breach—$4.24 million in 2021 alone, according to IBM’s Cost of a Data Breach Report—coupled with the often lengthy downtime that follows a successful attack can easily lead to dramatic and far-reaching consequences that negatively impact the livelihoods of every employee. Reducing risk by even two or three percent can yield huge savings.
COMPLACENCY RISKS AND INSIDER THREATS
The vast majority of employees are good-minded, risk-oriented, observant, and hardworking. Of course they are. Acknowledging and addressing insider threats doesn’t mean a company no longer trusts its employees. Rather, it’s prudent to protect the company itself and the employees who have a vested interest in the organization being able to continue doing business.
Cyber threats originate from both external and internal sources. External threats include hostile nation-states, terrorist groups, criminal gangs, and individual hackers. Ransomware is an example of a fast-growing external threat for companies worldwide, along with other threats such as malware, social engineering, denial of service attacks, zero-day exploits, and other injection attacks.
While these threats represent a clear and present danger to any company, let’s focus on the internal threats that arise from individuals directly connected to your organization, such as employees, contractors, or former employees. These people often pose the most significant risk to an organization’s security posture, whether knowingly or not.
Complacent actors are employees who do not have malicious intent but do not always remain vigilant in observing good security hygiene. They may get careless and unknowingly bypass standard protocols, like clicking on a bad link in a phishing email. In fact, in a recent research study, two-thirds of remote employees said they failed to adhere to their company’s cybersecurity policies at least once every 10 workdays.
Disenfranchised actors within your organization don’t always start with malicious intent, but they can eventually take damaging and destructive actions, such as knowingly introducing malicious code into the network. These actors turn malicious for a myriad of reasons, ranging from an organizational change to an event in their personal lives. They may profit from the attack or just want to hurt their employer—and the result is always costly.
Cybercriminals will always seek the path of least resistance. One of the easiest ways to penetrate a network is to exploit a human vulnerability through phishing. That’s why 96% of cyber threats are email-based. All it takes is one employee—complacent or disenfranchised—to click one bad link for threat actors to obtain access credentials and access your environment.
From a behavioral perspective, it is important to have internal cybersecurity awareness training for all employees from the c-suite down. Simulate a phishing email. Dust off the disaster recovery plan and conduct mock training exercises to practice how you will respond in the event of a breach. These are just a few foundational elements to help create a culture of security and resilience within an organization.
MINIMIZING RISK THROUGH ZERO TRUST
The natural next step in an organization’s journey toward security and resilience is adopting a zero trust model. This “protect everyone, verify everything” mindset assumes breaches and trusts nothing as the default. Essentially, every user and device accessing network resources represents a potential threat and should be treated as such to minimize complacency threats and guard against malicious intent.
With zero trust, every user is authenticated, authorized, and validated before receiving access privileges. The process could be as simple as multi-factor authentication or a more sophisticated technology solution. When designing an insider threat program, zero trust should be the cornerstone. It mitigates damage by only granting authenticated users access to applications that they need to perform their job responsibilities.
Building a culture of trust in a zero trust environment is not an easy task due simply to the nature of the architecture and the necessities involved in implementing it. However, as with a great many difficult concepts, clear and open communication is the best tool any company has at its disposal.
Honestly communicating the need for increased security while openly explaining the intent behind active threat hunting can help alleviate the fears some employees may have regarding the enhanced measures and reduce their trepidations when the time comes to begin implementing them.
When appropriately executed, zero trust can actively increase trust between companies and their employees—trust that every measure is being taken to protect the organization and safeguard the livelihoods of its employees by ensuring the company can continue doing business uninterrupted.
The call for a zero trust environment within an organization can challenge the covenant based on trust, respect, and expectations between the company and its employees. But understanding that it is necessary for the resilience and continuity of the organization turns this apparent divide into a connection where all levels of the company are jointly working toward safeguarding everyone’s best interests.
Kevin Lynch is the CEO of Optiv, the cyber advisory and solutions leader serving more than 7,000 companies across every major industry.