Posted: 13 Jul. 2020 3 min. read

Tackling risks from within: why security culture is so vital in dealing with non-malicious insider threats

Most organisations will acknowledge that people are their greatest asset, but could they be forgetting that employees can also be their weakest link? Insider risk is a rising issue within the workplace and should be deserving of ever greater attention. According to Verizon’s 2020 Data Breach Investigations Report, 34% of data breaches involved internal actors. 

Security breaches can be split into those that are caused by an intent to harm an organisation (‘malicious’) and those that stem from human error and negligence (‘non-malicious’). The 2020 Cost of Insider Threats: Global by the Ponemon institute showed that since 2018, 62% of security breaches are found to be non-malicious – the focus of this blog – compared to 14% of breaches carried out with malicious intent.

Organisations rely on the relationship between their corporate structures and their individual employees’ skills, ideas and motivations in order to achieve business objectives and foster a desired culture. An imbalance can cultivate conditions increasing the likelihood of insider risk with the exploitation of an organisation’s vulnerabilities. How can an organisation deliver a broad security framework that is able to be both practical and scalable, while being able to focus on individual behaviours that are so fundamental to an insider risk problem?

The importance of a strong security culture

While physical and technical security measures can be put in place, if employees lack sufficient awareness of the risks posed, these measures become redundant. A comprehensive security culture has the ability to bind together individuals within an organisation towards a common security goal, reducing inherent risks which can be exploited through human error.

Deloitte believes having employees with a sense of belonging to a concerted effort aimed at preventing security threats where personal accountability is the norm, is the most effective tool in tackling insider risk.

Enabling resilience to adapt to the changing threat landscape

It is impossible to train for every situation, but if employees operate in a security culture that continues to nurture individual awareness and attitudes, then an organisation can build in resilience to deal with unprecedented changes. Few will have anticipated the sweeping changes the COVID-19 crisis has forced upon the workplace and the added security risks that are now present due to home working.

Organisations with an agile and adaptable workforce, can reap the benefits of having established a mature security culture - better visibility into risks, fewer cybersecurity incidents and the ability to get back to business faster following an incident.

Cultivating a strong culture - repetition of both what and why from the top down

Cultures are grown, as opposed to installed or bought. An effective security culture framework should include reaffirmation of key security principles to enable employees to understand what their security culture is and why it is important. As insider risk is relevant at every level of an organisation, the attitude in achieving the desired security culture must be prevalent from the top down to provide vital credibility.

Deloitte have found that many organisations already have the baseline building blocks in place, from real-time alerts that explain potential policy violations, to making security policies readily available and relevant to employees. In our experience however, there are many more innovative ways to achieve continual growth of a security culture:

  • Build the security community – instil the ideal that security belongs to everyone
  • Security champion schemes – develop the security ‘backbone’ of your organisation
  • Focus on general awareness and beyond – expand the knowledge base
  • Targeted and engaging training – introduce new methods such as gamification or competition
  • Security performance incentives – look for opportunities to celebrate success

A stich in time saves nine

How is your organisation adapting their security culture and framework to manage insider risk?

While there is no silver bullet to address insider threats, a mature security culture can support risk management capabilities to locate and remedy weaknesses in processes and technologies, as well as locate new threats before they can result in actual damage to the organisation.

Though ‘culture’ is challenging to measure, a thorough investment in cyber awareness and the importance of fostering a strong security culture will, in the long-term, pay dividends for companies looking to minimise their insider risk.

Sign up for the latest updates

Key contact

Agnieszka Eile

Agnieszka Eile


Agnieszka leads our Corporate Security Team within Risk Advisory. She has over 10 years of experience delivering projects in security risk management, helping clients evaluate the maturity of their security functions, design and implement security strategies, develop security risk management frameworks and enhance organisations’ overall security culture. Agnieszka has led and delivered several corporate security projects for organisations across a range of industries, including Financial Services, Technology and Media, Retail, Critical National Infrastructure (CNI) and the Public Sector. She helps companies prepare for and respond to known and unforeseen disruptive risk events.

Sophia Graham Francies

Sophia Graham Francies


Sophia is a Consultant in the UK Cyber Risk Services practice, with experience in Corporate Security. She has worked across a range of sectors, supporting clients on how to understand and manage their security and privacy risks through developing effective security and privacy strategies and implementing organisational awareness and process change. Sophia comes from an International Relations background and prior to joining Deloitte in 2018, she worked in Start-Ups advising Government and SME clients on cyber security.