Trust and security can be seen as two sides of the same coin. As leaders, we’re responsible for cultivating a culture of trust with our employees, and we have a responsibility to employees, clients, and all stakeholders to keep our businesses safe and secure. How do we foster trust and transparency when there is the greatest threat within our walls, but also how can we encourage transparency?
The vast majority of breaches—85% according to Verizon’s 2021 Data Breach Investigations Report—contain a human element and often involve people who already have access to a company network: employees and other insiders.
The high cost of a breach—$4.24million in 2021 alone, according to IBM’s Cost of a Data Breach Report—coupled with the often lengthy downtime that follows a successful attack can easily lead to dramatic and far-reaching consequences that negatively impact the livelihoods of every employee. Even a reduction of two to three percent in risk can result in huge savings.
COMPLACENCY RISKS & INSIDER THRREATS
The vast majority are hardworking, open-minded, risk-oriented, and observant. They are. Acknowledging and addressing insider threats doesn’t mean a company no longer trusts its employees. Rather, it’s prudent to protect the company itself and the employees who have a vested interest in the organization being able to continue doing business.
Cyber threats come from both External and internal sources. Threats from the outside include terrorist groups, hostile nation-states and individual hackers. Ransomware is a rapidly-growing threat to companies around the world. It can also be combined with other threats like malware, social engineering and denial-of-service attacks, zero-day exploits and other injection attacks.
While these threats represent a clear and present danger to any company, let’s focus on the internal threats that arise from individuals directly connected to your organization, such as employees, contractors, or former employees. These people often pose the most significant risk to an organization’s security posture, whether knowingly or not.
Resigned actorsEmployees who aren’t malicious in intent but don’t always keep up with security hygiene. They may be negligent and click on a bad link in an email phishing scam. According to a recent study, two-thirds (63%) of remote workers said they had used remote workers. failed to adhere to their company’s cybersecurity policiesMinimum once every 10 workdays.
Disenfranchised actors within your organization don’t always start with malicious intent, but they can eventually take damaging and destructive actions, such as knowingly introducing malicious code into the network. These actors may become malicious for a variety of reasons, from a change in their organization to unforeseen events in their personal lives. They may profit from the attack or just want to hurt their employer—and the result is always costly.
Cybercriminals will always take the shortest route to their goals. Phishing is one of the best ways to penetrate a network. That’s why 96% of cyber-threatsThey are email-based. All it takes is one employee—complacent or disenfranchised—to click one bad link for threat actors to obtain access credentials and access your environment.
From a behavioral standpoint, it is important that all employees are trained in cybersecurity awareness. Simulate a phishing attack. To practice your response in the event that a breach occurs, you can pull out the disaster recovery plan and do mock training exercises. These are just some of the elements that will help to create a culture within an organization that is resilient and secure.
MINIMIZING RISK THROUGH ZERO TREASURE
The natural next step in an organization’s journey toward security and resilience is adopting a Zero trust model. This “protect everyone, verify everything” mindset assumes breaches and trusts nothing as the default. To put it simply, every device and user who accesses network resources can be considered a threat. It is important to treat them as such to avoid complacency and protect against malicious intent.
With zero trustEvery user must be authenticated, authorized and validated before they can receive access privileges. This could be as simple or complex as multi-factor authentication. Zero trust should be the foundation of an insider-terror program. It minimizes damage by only allowing authenticated user access to the applications they need in order to complete their job responsibilities.
It is difficult to build trust in a zero trust environment. This is simply because of the nature of the architecture and the requirements involved in implementing it. Clear and open communication, like so many other difficult concepts, is the best tool a company has.
Communicating the need for enhanced security and explaining the purpose behind active threat hunting openly can help employees to reduce fears and trepidations about implementing them.
When appropriately executed, zero trust can actively increase trust between companies and their employees—trust that every measure is being taken to protect the organization and safeguard the livelihoods of its employees by ensuring the company can continue doing business uninterrupted.
The need for an environment of zero trust within an organization could be a challenge to the covenant built on trust, respect, expectations, and cooperation between employees and the company. But understanding that it is necessary for the resilience and continuity of the organization turns this apparent divide into a connection where all levels of the company are jointly working toward safeguarding everyone’s best interests.
Kevin Lynch is the CEO Optiv, the cyber advisory leader and solutions provider serving over 7,000 companies in every major sector.