Technology / The human factor: Why your employees may be your biggest cyber security risk

The human factor: Why your employees may be your biggest cyber security risk

Cyber security experts gathered  in London this week to discuss why employees can be their own organisations' worst enemies - and how to tackle the problem - at a roundtable hosted by Balabit.

Introducing the discussion, Bob Tarzey, an analyst and director at Quocirca, said "anybody can do something stupid" and become an accidental threat. But at the other end of the spectrum, there are also malicious insiders who work against their own companies.

Dr Lee Hadlington, senior lecturer in cognitive psychology at De Montfort University, said the human factor is "the most complicated element that you could ever engage with" and explained that there are many different reasons why employees go rogue.

"That might be someone who is disgruntled," he said. "They could have a financial motive at their heart, personality factors, amorality, extraversion, opposition to authority..."

It was suggested that vetting could help to screen out employees with these traits, but Hadlington argued that by building a profile of an insider threat, firms could actually "miss out on the unknowns", letting other malicious actors in and sending away talented hires.

"Working in the area that I have been for the last five years - cyber security - my default setting is paranoid," he told the group of information security experts.

Adrian Asher, chief information security officer at the London Stock Exchange Group, said more regular vetting could help to protect organisations against existing employees whose circumstances have changed in a way that makes them a risk. This could highlight any financial difficulties or recent criminal convictions that the company is unaware of.

“We need to be doing continual vetting of staff, especially if their role changes and they get access to more sensitive things,” he said, noting that firms should “celebrate the reasons why you are doing this” and avoid punishments to ensure workers are happy to comply.

Jenny Radcliffe, head of training and consultancy at Jenny Radcliffe Training, said many businesses underestimate the threat within their own four walls.

“A lot of the time organisations just are not in touch with the way people feel in the organisation,” she said. “It is not so much that they have a problem – it is just that the loyalty can be stretched for various reasons… People overestimate how loyal employees are. They are loyal to themselves, not the people that they work for.”

She said fear, flattery and greed can all persuade otherwise good workers to go rogue, and many do not believe they are important enough to do much damage.

Another factor that makes attackers’ jobs easier is when employees break the rules to be more productive. This could be something as simple as sharing passwords or propping a secure door open so they do not have to swipe their passes all the time.

“Employees are loyal,” said Zoltan Gyorko, co-founder and CEO at Balabit, arguing that these workers just want to get things done. “They want to do their jobs and most of these ‘hacks’ are done because it is more efficient. They see security as a bottleneck instead of a partner…

“The bad news is that you cannot solve the problem, but you can reduce the risk. Instead of having a guard or door every couple of metres and forcing them to swipe their cards time and time again, you have to develop some sort of monitoring.”

Asher agreed, saying that good security should never stand in the way of employees doing their jobs, as this can create unnecessary risks to an organisation and provide opportunities for malicious insiders or outside attackers to carry out attacks.

“I always say that if an employee is breaking a rule to do their job then I am doing my job wrong,” he said, making the case for security and productivity to work in harmony. “If I am doing my job effectively, people are not trying to circumvent my controls.”

There was a consensus that security teams should use approaches and language the engages with employees, rather than talking down to them to set strict rules.

“We have to change the approach to handle our colleagues as partners,” Gyorko added, concluding the discussion. “Let them work. Let them do their jobs.”


Find out how to minimise the insider threat at your business at Business Reporter’s brand new workshop, which takes place on 25th January 2017 in London.

teiss

Shares