- Employee awareness
- 6 min read
The rise of insider threats and risks has become a major concern for organisations across the globe. A single cyber attack can cause serious financial and reputational damage and internal routes are becoming far too frequent for cyber crime.
In Proofpoint’s 2022 Voice of the CISO report, insider threats was raised as the top cyber security concern among CISOs. In Verizon’s 2022 Data Breach Investigation Report, internal actors were responsible for 94% of all lost and stolen assets, while the human element was involved in over 82% of data breaches.
Effective cyber security programmes and awareness training are essential for protecting businesses from these threats. Arming your employees with the knowledge to protect themselves and make safe, informed decisions will empower them to keep both personal and professional data secure.
To combat insider threats, you need to pinpoint careless users and train our poor security behaviours.
In this article, we will explore the importance of cyber security awareness training in reducing insider threats and risk.
Insider threats or risks refer to cyber attacks carried out by individuals within an organisation, such as direct employees or third party vendors. According to a recent report, insider threats account for nearly 60% of cyber attacks.
These attacks can be active and intentional, for example an employee stealing sensitive information for personal gain. These attackers are referred to as ‘malicious insiders.’
Insider attacks can also be unintentional, such as an employee accidentally sharing confidential information with the wrong person because of fraud or social engineering. These attackers are referred to as 'inadvertent insiders’
Alternatively, the Cybersecurity and Infrastructure Agency (CISA) defines ‘insider threat’ as: “the potential for an inside to use their authorised access or understanding of an organisation to harm that organisation.”
Insider attacks, like any devastating cyber attack, can cause considerable damage to an organisation’s finances, reputation, trust, and authority. And with the continued rise in cyber attacks stemming from insider threats, it is crucial for organisations to implement effective cyber security awareness training.
There are many standard cyber security measures you can implement to dampen the threat of insider risks. For example, implementing firewalls, intrusion detection and prevention systems such as anti-virus software and data encryption are all recommended to combat insider threats. Furthermore, organisations should regularly update and patch their software and systems to prevent vulnerabilities that could be exploited by attackers.
However, we must never ignore the power of cyber security awareness training and verification policies such as ‘Zero Trust’ models that compartmentalise actions on a network and require authentication before any action.
The global zero trust market is projected to reach a whopping $52 billion by 2026 (CNBC). This market has seen a steep increase in adoption due to a shift to multilocation remote working. The term ‘Zero Trust’ comes from Forrester Research analyst John Kindervag, who said: “Never trust, always verify.” His view is that risk is an inherent factor both inside and outside a network.
In a zero trust security framework, all employees/users who are operating on an organisation’s network (both internally and externally), must be authorised for access by authenticating their credentials. The zero trust framework is not a one-and-done authorisation. Instead, users will have to seek continuous validation to be granted access to an organisation’s data and applications.
The typical zero trust security framework combines multifactor authentication with strong endpoint security and user ID verification systems to consider and conclude access requests in a moment. Zero trust models also encrypt data, secure emails, and regularly run scans of assets and data to make sure nefarious code or documents have not infiltrated the system.
One of the most effective ways to reduce the risk of insider attacks is by providing employees with effective cyber security awareness training. Regular awareness training educates employees about the risks of cyber attacks and provides them with the knowledge and skills to identify and prevent potential threats. Considered and targeted employee awareness will connect with your employees, especially if your training includes case studies and contextual anecdotes to drill the ramifications of a breach into staff.
According to a Ponemon Institute study, organisations that provide regular cyber security awareness training to their employees experienced a 64% reduction in the frequency of cyber attacks.
Employee awareness training is a crucial component of an effective cyber security programme. If you deliver training frequently and effectively, it will reduce the risk of insider attacks, improve your overall cyber security culture, and make it a healthy competitive atmosphere, minimise financial and reputational damage, show your organisation is compliant with official regulations and standards and show potential customers/clients that you can be trusted with their loyalty.
Running organisation-wide security behavioural surveys and assessments, such as TSC’s SABR, to pinpoint gaps in security and potential risks will do wonders in reducing insider risks. If you continually look inwards and are truthful about your vulnerabilities, both at organisation-level and employee-level, you can take the necessary measures to reduce said risks.
At TSC, we are big proponents of targeting your training and development programmes as you will get the highest return on your investment in terms of employee development.
One of our most popular online courses is our ‘Security Induction’ courses. This is because our clients know that introducing a new employee into an established security culture will go far smoother if they have a sturdy foundation of official policies and controls. An effective security induction programme for new employees will ensure you are not diluting your strong security culture.
New employees could consciously or unconsciously compromise your organisation’s security because they lack knowledge of your security policies, are prone to making mistakes in a new and unfamiliar environment or have never been trained in cyber security awareness. They need to be supported with a comprehensive induction process,
Supporting induction processes such as this with regular cyber attack simulations to keep employee on their toes is the next step in your employee development programme. For example, perform fake phishing attacks or social engineering attacks on your employees to see who is carrying over security training and who is letting it come through one ear and out the other. Again, repeating this step regularly allows you to keep plugging your security gaps and building back stronger security behaviours.
Security protocols such as ‘Zero trust’ and effective cyber security awareness training can help reduce the risk of insider attacks, protect confidential information, maintain the trust of customers, and keep your organisation secure.
As the number of cyber breaches resulting from insider threats increases year by year, it is crucial for businesses to implement cyber security awareness training and invest in development programs for employees. When you show your employees that they are an important and valued part of your organisation – by showing care in their training and development – they are more likely to empathise with their employers. As a result, they will act safer and be more secure with professional data!
If you would like more information about how The Security Company can help your organisation and deliver security awareness training and employee development for you ... or how we can run a behavioural research survey to pinpoint gaps in your security culture ... or how we can improve your employee induction process, please contact Jenny Mandley.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51