How can embracing a cyber resilience culture reduce insider risk?
In this article, we will be examining how embedding a cyber resilience culture within an organization could help mitigate the risk of insider risk.
We are all aware that the number of cyber-attacks are increasing, with the role of insiders in these attacks becoming more integral as technological measures to stop external attacks become more sophisticated. Indeed, 72.4% of respondents to the BCI’s Cyber Resilience Report 2023 saw disruption through phishing or spear phishing over the past 12 months, while 27% saw disruption caused by social engineering. Both of these attacks involve the actions of an insider within an organization.
Sarah Armstrong-Smith, Chief Security Advisor, Microsoft, discussed in a recent members-only interview with the BCI that attackers are starting to target social engineering as a more effective method to get credentials/passwords from personnel, since technology and security has reached a level of sophistication where it can be much more difficult to attack an organization with brute force.
“Recognizing an insider threat has proven to be a much more difficult task that poses a significant amount of risk. For instance, to overcome an air-gapped environment, an external attacker would have to plan a sophisticated attack, but an insider could connect to the air-gapped network without any difficulties with Internet-of-Things (IoT) devices (e.g., install Internet-connected small mobile device in the USB port).[1]”
When discussing insider risk, it’s important to understand that ‘insiders’ can include personnel, consultants and contractors, as well as those from third parties who have access to internal systems. Several types of insider threat exist and can be linked to the intention of the insider, for example, in some literature the different types of threat are referred to as the malicious, compromised, or careless insider[2]. In this context, a malicious insider would be a stakeholder who willingly shares confidential internal information outside the organization, with their motivation ranging between anything from dissatisfaction with their employer to financial gain.
Our previous interview with Sarah Armstrong-Smith also touched upon how to foster a view of BC and resilience functions within organizations as business enablement, rather than functions which are only used in the event of an emergency. This is important within the context of this article as we seek to understand what we can do to create a culture of cyber resilience which stops an insider risk developing into an insider threat.
Firstly, we should establish the potential differences between an insider risk and an insider threat. In this article will be referring to an insider risk as a situation that has the potential to cause an impact to operations, while a threat will refer to a more developed situation. Indeed, different approaches are valid for each of these situations. For example, a threat could be mitigated through the implementation of digital solutions which can quickly provide an extra layer of security and limit the impact of the threat. On the other hand, changes in an organization’s cyber resilience culture may mitigate the potential for a risk developing into a threat.
Since insider risk is irrevocably tied to the personnel within, or working alongside an organization, it is an issue that can be impacted by the culture in which these personnel are situated.
Why now?
The pandemic has played a significant role in the rise of cyber-attacks, with insider risk proving to be no exception, as Ratna Pawan notes here:
“Insider risk has increased substantially since the onset of COVID-19, when employees started working from home or anywhere outside the controlled environment of their workplace; thereby opening themselves up to a wide range of new threats. These employees may not realise that their laptops and other gadgets on which they login for work, are storehouses of their employer’s data, which they can negligently, if not maliciously, compromise.”
We have seen the impact of a changing working environment on other cyber threats as well. However, another layer with insider risk is related to the loss of organizational culture. “Employees are increasingly working outside the four walls of the workplace which not only had better physical and technological mitigants in place, but also had an environment where team members and managers were working together; motivating, balancing, and correcting each other,” says Ratna. Therefore, we can see how, with employees now in an environment where some aspects of organizational culture have been lost and where it is logistically easier to leak critical/sensitive information, this type of attack is happening more and more.
Research by Saxena, et al, has also noted the technical challenges of allowing privileged users to work from home, especially with regards to the added complexities in data security:
“A new problem is that organizations are allowing users who have administrative or root-level access rights to work from home. This is problematic as keeping the data secure from the insider can be more challenging.”[3]
What factors can contribute towards an insider threat?
The majority of breaches or cyber-attacks that involve the actions of an insider are not caused intentionally. Therefore, incorporating training and awareness as a part of an organization’s cyber resilience culture is fundamental to stop this risk developing into a threat, as we will see later in this article.
However, the actions of these so-called ‘careless’ insiders can be seen as linked to other elements of general organizational culture. For example, through the course of their job, personnel may find their themselves confronted by mounting deadlines, increased pressure from management, etc, any of which could test their concentration and contribute to carelessness when it comes to clicking on malicious links or otherwise compromising critical information.
“Employees have gone through a stressful period since the pandemic and various reports indicate a direct correlation between the stressors impacting employees and an increase in insider risk incidents,” says Ratna.
Indeed, the proportion of cyber-attacks caused by an employee opening up a link in a malicious email was 52.4%, according to the BCI’s Cyber Resilience Report 2023, while the deliberate malicious actions of an insider was the cause of a cyber-attack for just 16.8% of respondents.
While only making up a fraction of insider incidents, the actions of malicious or compromised insiders and their relationship to organizational culture should be explored. Especially since the Cyber Resilience Report notes that “these types of incidents may also be reduced through an improvement in the overall corporate culture.”
In this scenario, an appropriate question would be, if a sound organizational and cyber resilience culture mitigates insider risk, what happens if this culture is affected? For example, in the wake of the Great Resignation and after considerable layoffs in the tech industry at the start of this year, attention has been drawn to the insider threat posed when an employee leaves their post. The scale of layoffs within some organizations may also mean that some of its more regular protocols come under pressure. For example, a high number of staff leaving at one point in time may unintentionally leave backdoors in internal systems which can be accessed by former employees. We have also seen how some of the strategies used by large-scale organizations to manage this particular threat can damage organizational culture. For example, employees finding out about the fate of their position during large-scale layoffs through having their internal access removed and accounts wiped[4]. While this nuclear option does reduce the chances of insider threat through the departing employees, it can also cause a significant impact to the morale of those remaining within the organization.
DTEX i3 has found that there was a 35% increase in data theft incidents caused by employees leaving companies in the first half of 2022. They also add that “12% of employees take sensitive IP with them when they leave an organization including customer data, employee data, health records, sales contracts.”[5] Data exfiltration (unauthorised removal of data) from an organization has been found to be more likely just before an employee is due to resign[6]. While it may not be intentional or malicious, any sensitive data that leaves an organization with a departing employee is a security concern.
Mitigating insider risk
Effective mitigation against the complicated issue of insider risk is likely to include all of the below:
- Policy
- Strong governance
- Training, education and awareness initiatives
For instance, sound policy over how data is kept secure during the departure of personnel would help reduce the risk seen above. Indeed, overall, through a mix of these ingredients, an organization can embed a culture that embraces security and reduces insider risk. Although, the measures in place to manage this risk also need to fit within the existing organizational culture and not create further risk by alienating personnel. On this, Helen Lipscombe notes that:
“Cyber resilience culture goals must be strategic, organizationally aligned and risk aligned. It is essential when beginning on a culture shaping journey to ‘look under the surface’ and explore the reality and the experience in which your people are operating. Understanding the lived culture, purpose, and values will help you identify how people currently engage with cyber risk, as well as existing cultural strengths that you should leverage and build on as you seek to enhance the importance of cyber resilience within the culture. The degree to which the importance of cyber resilience is likely to be adopted will be influenced by broader attitudes your organization has towards rules more generally.”
Therefore, how do we create a culture of cyber resilience and, by doing so, mitigate insider risk?
Ratna advises that some initiatives to generate a cyber resilient culture and mitigate insider risk include:
- Running ongoing awareness and training sessions for all insiders (staff, contractors, third parties) to cultivate an awareness of insider risk across the range of an organization’s activities.
- Keep employees motivated and embedded into the organizational culture, so that they feel a sense of belonging, ownership and feel the responsibility to adopt all security mandates.
Embedding cyber resilience into organizational culture through training and awareness is a key step. Since ‘insider’ can refer to a broad range of people, it is also advisable that when we use training and awareness, that we don’t forget to include third-parties in this process. Making cyber resilience a responsibility for all personnel throughout an organization is also particularly important when examining insider risk. Through education about insider risk and by embracing a culture which respects cyber resilience, we can make active progress towards reducing unintentional breaches (clicking on phishing emails, etc) which, as we’ve seen, are a huge proportion of insider incidents.
Adding to this, Rob Cooke MBCI explains a pillar of cyber resilience is having “an open dialogue, trusting and ‘no-blame’ culture.” He adds, “if employees feel protected and safe from persecution then they are less likely to become compromised.”
In addition, as referenced in the introduction, it is important to note that an improvement in culture may reduce the risk of malicious actions by an insider, but that these cultural improvements should be supported by “strong policies.”
“Your organizational risk mitigation decisions should be based upon achieving a balance between business delivery needs, policies and technical controls. Mitigations for data exfiltration should be understood by all employees, embedded in relevant policies, and supported by the organization’s security culture,” advises the National Cyber Security Centre in its guidance for reducing data exfiltration by malicious insiders[7].
Therefore, it is important to stress that culture-based initiatives can and should run alongside other measures, with the following suggested by Ratna:
- Deploying security technology tools for laptops/work gadgets, which are designed to detect insider risk. Moreover, only permit use of approved collaboration and service delivery tools to transmit/store data.
- Creating an insider risk programme within the overall risk management function, which will create policies, complete ongoing risk assessments, define & monitor performance metrics, devise KPIs/KRIs for governance, create incident response plans & strategies, etc.
Policies can include the previously mentioned training and education initiatives which are essential to help shape a cyber resilience culture. “Regular training and reminders can help with reducing carelessness, as can strong processes and procedures. When employees know their jobs well, understand the risks and are comfortable knowing they won't be persecuted, they become more relaxed and productive.”
Of course, when we discuss developing a cyber resilient culture supported by policies, we also need to consider governance. As Helen Lipscombe mentions in her blog, there may sometimes be a feeling among leadership that the aforementioned culture work should be substituted for more concrete measures, such as security technology tools, instead of them both working in concert. “Shifting culture is difficult and can be messy and time consuming. It can, therefore, be very tempting for leaders to de-prioritise this work for something that will be seen to deliver quicker wins.” Although, Helen adds that “if you don’t consider the human beings on the receiving end, these ‘improvements’ are unlikely to land and be fully embedded.”
Furthermore, culture shifts with regards to cyber resilience will be more successful if supported by management in order to be fully successful. Ratna concludes by saying that these adaptions to our organizational culture, to make sure our personnel are still embedded and engaged within our organizations, are more important than ever in an environment where the methods of how we work are changing. She says that it is important to “make your employees feel heard and valued, through ongoing 1-2-1s with managers, team activities, support groups, etc. These can all be virtual but its imperative that, in a hybrid environment where employees are not ‘physically’ in the workplace where a lot of factors contribute to naturally building in the culture, that it gets substantiated with genuine efforts online.”
For more information on organizational culture and its relationship to resilience, please stay tuned for our long-form article on Personal Resilience, which will be released on Thursday and considers how BC/resilience professionals can consider their own resilience during a crisis.
Further resources:
More information on a programme to implement this security behaviour is available through sources such as the NPSA.
https://www.npsa.gov.uk/embedding-security-behaviour-change
[1] A. Kim, J. Oh, J. Ryu and K. Lee, "A Review of Insider Threat Detection Approaches With IoT Perspective," in IEEE Access, vol. 8, pp. 78847-78867, 2020, doi: 10.1109/ACCESS.2020.2990195.
[2] Saxena N, Hayes E, Bertino E, Ojo P, Choo K-KR, Burnap P. Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses. Electronics. 2020; 9(9):1460. https://doi.org/10.3390/electronics9091460
[3] Saxena N, Hayes E, Bertino E, Ojo P, Choo K-KR, Burnap P. Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses. Electronics. 2020; 9(9):1460. https://doi.org/10.3390/electronics9091460
[4] https://news.sky.com/story/twitter-employees-laptop-wiped-and-accounts-locked-as-company-considers-laying-off-staff-12738247
[5] https://www.businesswire.com/news/home/20230316005545/en/Layoffs-Fuel-35-Increase-in-Data-Theft-by-Departing-Employees-According-to-DTEX-Systems-2023-Insider-Risk-Investigations-Report
[6] https://www.bloomberg.com/news/articles/2023-01-18/data-theft-by-workers-looms-over-2023-tech-layoffs