Tackling risks from within: why security culture is so vital in dealing with non-malicious insider threats

Security breaches can be split into those that are caused by an intent to harm an organisation (‘malicious’) and those that stem from human error and negligence (‘non-malicious’). The 2020 Cost of Insider Threats: Global by the Ponemon institute showed that since 2018, 62% of security breaches are found to be non-malicious – the focus of this blog – compared to 14% of breaches carried out with malicious intent.

Organisations rely on the relationship between their corporate structures and their individual employees’ skills, ideas and motivations in order to achieve business objectives and foster a desired culture. An imbalance can cultivate conditions increasing the likelihood of insider risk with the exploitation of an organisation’s vulnerabilities. How can an organisation deliver a broad security framework that is able to be both practical and scalable, while being able to focus on individual behaviours that are so fundamental to an insider risk problem?

The importance of a strong security culture

While physical and technical security measures can be put in place, if employees lack sufficient awareness of the risks posed, these measures become redundant. A comprehensive security culture has the ability to bind together individuals within an organisation towards a common security goal, reducing inherent risks which can be exploited through human error.

Deloitte believes having employees with a sense of belonging to a concerted effort aimed at preventing security threats where personal accountability is the norm, is the most effective tool in tackling insider risk.

Enabling resilience to adapt to the changing threat landscape

It is impossible to train for every situation, but if employees operate in a security culture that continues to nurture individual awareness and attitudes, then an organisation can build in resilience to deal with unprecedented changes. Few will have anticipated the sweeping changes the COVID-19 crisis has forced upon the workplace and the added security risks that are now present due to home working.

Organisations with an agile and adaptable workforce, can reap the benefits of having established a mature security culture - better visibility into risks, fewer cybersecurity incidents and the ability to get back to business faster following an incident.

Cultivating a strong culture - repetition of both what and why from the top down

Cultures are grown, as opposed to installed or bought. An effective security culture framework should include reaffirmation of key security principles to enable employees to understand what their security culture is and why it is important. As insider risk is relevant at every level of an organisation, the attitude in achieving the desired security culture must be prevalent from the top down to provide vital credibility.

Deloitte have found that many organisations already have the baseline building blocks in place, from real-time alerts that explain potential policy violations, to making security policies readily available and relevant to employees. In our experience however, there are many more innovative ways to achieve continual growth of a security culture:

• Build the security community – instil the ideal that security belongs to everyone
• Security champion schemes – develop the security ‘backbone’ of your organisation
• Focus on general awareness and beyond – expand the knowledge base
• Targeted and engaging training – introduce new methods such as gamification or competition
• Security performance incentives – look for opportunities to celebrate success
   

A stich in time saves nine

How is your organisation adapting their security culture and framework to manage insider risk?

While there is no silver bullet to address insider threats, a mature security culture can support risk management capabilities to locate and remedy weaknesses in processes and technologies, as well as locate new threats before they can result in actual damage to the organisation.

Though ‘culture’ is challenging to measure, a thorough investment in cyber awareness and the importance of fostering a strong security culture will, in the long-term, pay dividends for companies looking to minimise their insider risk.