Speaking at the TEISS conference in London, ClubCISO chair Dr Jessica Barker said that both non-malicious and malicious insiders can be detected by common behaviors.
Displaying ClubCISO’s research from 2019, which showed that non-malicious insiders accounted for 42% of incidents in the last 12 months, and malicious insiders accounted for 18%, Barker said that this is the biggest threat after a malicious external attacker (46%) where they can often “take advantage of a non-malicious insider.”
Barker explained that people don’t often expect to be impacted by these sorts of people, but often they can be people who have worked for an organization for a long time, and may appear to be loyal, but they can have grudges, feel overlooked for promotions and pay rises. “They don’t feel what they are doing is criminal, but they justify their activity in righting a wrong.”
Also, someone may feel like they can get away with actions such as leaking data or stealing information for a period of time, “but it takes a level of arrogance to steal and not be identified.”
For the non-malicious insider, Barker said that this is a result of people not understanding the complexities of cybersecurity, and press about cybersecurity can make it feel like the responsibility is out of their control.
“Using fear to trick behavior is not that easy, as if it was we wouldn’t have smokers or drink drivers,” she said.
Barker recommended communicating with staff who may be non-malicious insiders, as they could “have usable skills and knowledge to engage in behaviors.
“We can have all the awareness we want, but it needs to be usable,” Barker said, saying that you cannot just tell people that they need a better password, you need to tell them what they should do, and give them the tools to do it. “You cannot force people to change, you have to work to their knowledge” she said, adding that people commonly want to do the right thing at work but security controls usually get in the way of priorities.
She concluded by saying it is not about creating a separate security culture, but about understanding it is a culture, as “culture underpins what is normal in an organization, and what is acceptable.”