In the first 3 quarters of 2020, there were 2,935 publicly reported data breaches that exposed more than 36 billion records. To combat this growing problem, most companies have focused mainly on external threats. While it is certainly important to implement a sound outside threat program, breaches are more likely to occur due to insider threat from employees. This issue of insider threat was discussed in a recent article published in the peer-reviewed Journal of Business and Psychology by Reeshad Dalal, David Howard, Rebecca Bennett, Clay Posey, Steve Zaccaro, and Bradley Brummel. They recommend that you don’t forget insider threat to cybersecurity.
Don’t Forget Insider Threat to Cybersecurity
Insider threats come from the actions or inactions of employees that allow data breaches. As the Dalal team explains, behaviors come in three types.
- Forgetful Oversights. These are accidental behaviors that come from forgetting to perform an action (forgetting to turn off a computer) or from failing to notice a problem.
- Failing to Take Care. These are actions that are purposely performed but are not intended to cause a breach. For example, an employee might write a password on a piece of paper left in plain sight. Such acts might occur due to a lack of knowledge.
- Malicious Actions: These are intentional acts designed to cause harm, such as stealing data.
All three types of behavior can have disastrous consequences, but they have different remedies.
Areas of Focus to Reduce Cybersecurity Threats
The Dalal team noted several areas of focus concerning insider threat. They noted that these areas are in need of research attention so that we can better understand the drivers and consequences. These areas provide a roadmap of where organizations might focus attention on combatting cybersecurity threat.
- Cybersecurity Behavior. The ultimate focus for insider threat is on employee behavior. This means paying attention to factors that drive both malicious and non-malicious behavior. Malicious acts can be forms of counterproductive work behavior that can be driven by employee poor treatment and stress. Non-malicious behavior can be the result of ignorance of safe procedures, and negative attitudes about safety.
- Attitude Toward Cybersecurity. Attitudes are how people feel about something—do they like or dislike it; do they feel it is important or unimportant. Of importance here is attitude toward cybersecurity. If an employee does not feel it is important, he or she will probably make little effort toward staying safe. One area of intervention would be to improve employee cybersecurity attitudes. This can be done by providing consistent positive messages about cybersecurity importance and by developing a positive cybersecurity climate.
- Organizational Climate. Organizational climate concerns the sorts of behaviors that are encouraged versus discouraged at work. An organization with a positive cybersecurity climate will have policies and practices that encourage safe behaviors. As I discussed in an earlier blog article, there are five ways in which organization management can build strong climates. These include modeling the expected safe behavior, making expectations about safety clear, sending clear messages about the importance of safety, having written policies, and enforcing policies.
- Knowledge, Skill, and Ability: Performing any task at work requires that employees have the necessary knowledge, skill, and ability (the KSAs) to do so. Cybersecurity is no exception, so management must be sure that employees are well trained in safe data handling and in how to avoid outsider threats. An effect training program and a system to track employee KSAs is essential to maintaining cybersecurity.
The best firewalls and cybersecurity systems are insufficient if insiders behave in ways that undermines security. As much effort needs to be directed to insider threats, both malicious and non-malicious, to have a fully effective cybersecurity system.
Photo by Saksham Choudhary from Pexels