It is antithetical to a nation that leads the world in both innovation and technology, yet the cybersecurity industry (and too many companies with valuable IP) seem to look right past the best, and ironically the least-expensive method to mitigate these threats. In our collective rush to create another algorithm or design yet another complex software suite (the newest “shiny box”) to counter the malicious insider or, almost as dangerous, the persistent state-sponsored threat, we seem to be ignoring what is right in front of us.
What is it? The creation of a culture of an informed, empowered and committed workforce, fully appreciative of the threat and knowledgeable of the signs of concerning behaviors on the part of co-workers, and specifically what to do and whom to call in the event they see something suspicious or worrisome. Coupled with enthusiastic corporate leadership and demonstrated commitment to ensuring this essential training and education of the workforce take place – this is the simple elixir that will make the difference. If there is little or no perceived commitment by the “boss”, or the Director/CEO, then the likelihood for success is almost nil, as the effort will be perceived as just another exercise and ‘block-checker’ directed by management. And this training, this investment in your great workforce, needs to be institutionalized and done every ninety days, or as frequently as the risk/vulnerability calculus suggests.
Employees with a true sense of ‘ownership’ are the best first line of defense against the myriad of cyber, physical and increasingly sophisticated social engineering threats arrayed against them. After all, they are protecting their own jobs by protecting the company’s intellectual property, reputation and future financial success. Unfortunately, the default position of human nature and the prevailing attitude is more in line with what I noted in an earlier article gleaned from Fortune magazine several years ago– Tony Robbins pointed out that [only] 29% of employees are “engaged” in their work. Just for fun, the next time you go into a big box store, or even a very high-end boutique store, take a moment to assess the demeanor and attitude of the employee you encounter – try to get a sense of their ‘ownership’ of their department, section, or the store as a whole. If your experience is anything like mine, it won’t be very high.
So what does all this mean? You and your security team will have an uphill battle trying to establish and maintain this true sense of ownership. It will require work. It will require you and your staff getting out and mixing it up with the workforce. It might even require your team creating rewards and other incentives for them to highlight vulnerable or unworkable, unrealistic systems, policies, or procedures. A sterile, bi-monthly ‘security awareness’ meeting is not going to be enough to change the culture, period. If the workforce is valued, then invest in them and train them as if the future of the Company depended upon it. It may well.
In today’s highly interconnected workplace, there is, of course, a clear requirement for the best-of-breed software – threat detection software that analyzes behavior patterns is the most sophisticated and creative of these. But the key to turning the tide of these threats is a tailored and compelling scheduled and ad-hoc awareness training for employees and managers, taught by approachable and experienced security staff, is really the way to go. Why? It’s all about the people.
Here are a few ideas:
- Educate and train employees quarterly or semi-annually on security and what the latest threats are- contact the local FBI office for the most current information.
- Ensure that proprietary information is protected and limit access to those systems staff needs to do their jobs. When employees leave or change jobs, promptly revoke access. Conduct careful exit interviews of those leaving under acrimonious circumstances and with elevated access to sensitive company data.
- Ensure comprehensive due-diligence research, social media, and background checks before hiring new employees.
- Provide non-threatening, convenient ways for employees to report suspicions.
- Routinely monitor networks for suspicious activity. Publish anonymized results of audits so employees will see that policies are being enforced – this will serve as a strong deterrent to those who may not “do the right thing when nobody is looking”. On the other end, reward those employees who are of service to their fellow employees and the Organization.
Will this proven method of engaging the workforce to be partners with HR, managers, and security result in increased vigilance and identify the next disgruntled employee or malicious contractor like Snowden? A review of past espionage cases suggests that many, but not all, display indicators that should have (and sometimes did) arouse concerns on the part of co-workers and were reported. But not all culprits display such indicators to co-workers, which is why sophisticated data encryption, two-factor identification and threat detection software that is behavior-based is also critical to meeting the threat.
While there is much to be said for a blended approach to this issue, we cannot afford to ignore the single most powerful defensive tool our security toolbox – fellow employees who are aware of the various threats, understand basic warning signs of concerning behavior, and know whom to call so as to possibly avert the next data breach.
About the Author: Tom Coyle is CEO/President of Talon Security Solutions, LLC and has extensive experience consulting with both the US Government and private sector companies who wish to better protect their sensitive information from compromise.