November 4, 2016
First Line of Defense on Cyber Risk
Zeroing in on technical countermeasures first is looking at the problem upside-down. Culture is the place to start.
Anonymous theft and abuse of business data is a growing risk for many organizations. Most security initiatives aimed at this problem begin with piecemeal technical controls, such as trying to block and account for things like USB drives or mobile devices with software and policies. However, zeroing in on technical countermeasures first is looking at the problem upside-down. Instead, companies should first and foremost ask whether their corporate cultures are inviting insiders’ malicious and risky behavior — or whether these cultures are functioning to deter it as a first line of defense.
The continuing Wells Fargo controversy is a perfect case in point.
Media accounts claim Wells Fargo managers pressured employees to meet aggressive growth quotas by signing up account holders for new accounts and financial services they never requested — reportedly netting the bank significant income in new fees and service charges. In effect, workplace cultures like this create a slippery slope, fostering a wider range of “fallout” insider threat behaviors.
When an organization’s culture creates opportunities for abuse, motivated employees may be more disposed to comb through that organization’s data for a side business, copy records on behalf of a rival or sell files to cyber criminals.
The sheer scale of this contributing risk factor becomes clear when you consider that high-pressure sales environments exist in many companies — to varying degrees. This is yet another example of why security and data privacy risks always begin and end with business factors and people, not technology.
Employees pressured into abusing data without penalty set an increasingly toxic precedent. Moreover, managers’ use of private, “unofficial” mediums outside of corporate oversight — such as text messages or personal email — to request or facilitate questionable conduct only reminds would-be malicious insiders that they will not arouse suspicion if they, too, use such tools in the workplace. How prevalent is this conduct? The answer matters because these behaviors are risk variables that are as important as patch levels and app permissions.
Recent bank investigations are a reminder for CEOs and chief information security offiers (CISOs) alike that transparency, ethics and cybersecurity go hand in hand. As complex as fighting myriad cyber risks can be across companies’ changing IT assets, too few decision-makers recognize the power of healthy leadership and corporate culture as a scalable, enterprise-wide defense.
See also: Better Way to Assess Cyber Risks?
Soul-searching in the wake of today’s headlines should include serious thoughts about making an ethical, highly visible business culture the first line of deterrence against ubiquitous insider risks. Accountability and leadership should play a larger role in safeguarding data and keeping business partners in line long before factoring in USB drives and mobile devices.
More stories related to insider threats:
Sophisticated email monitoring can help companies detect insider threats
Inattentive employees pose major insider threat
Insider threats pose major cybersecurity exposure
This post originally appeared on ThirdCertainty. It was written by Dan Velez.