Talking insider threats at the CSO40 Security Confab and Awards

These days, the threat landscape for most companies is massive. But while there is a litany of outside threats that their security teams need to worry about, there is often an even greater danger much closer to home. Insider threats are an issue that no company is safe from, with breaches not just occurring at the hands of a disgruntled or malicious employee, but also unintentionally as a result of ignorance.

At this year's CSO40 Security Confab and Awards, Arthur Wang, ReSource Pro's information security and helpdesk supervisor, took to the stage to talk about mitigating those threats by spreading awareness and encouraging best practices for security and privacy. While many of the challenges his security team faced -- being seen as an enforcer and not a partner, compliance issues, a limited budget, poor awareness of security policies, adaptation to new risks, etc. -- would undoubtedly sound familiar to some, it's how Wang chooses to address those issues that's unique.

"Security is more than just policies and procedures," said Wang. "We must also consider the human element."

Considering the human element is where security teams tend to differ in their approaches. For some, the human element doesn't even come into play, and security amounts to little more than checking off the boxes to meet compliance requirements. Others, like KnowBe4, prefer to take the harsher approach and punish employees who make mistakes that may compromise company security in an effort to discourage negligence. Wang and ReSource Pro, however, take a more supportive, positive approach to spreading awareness.

One initiative, for example, was introducing a "Most Secure Process Department Award" to recognize achievements and contributions to improve employee awareness. The company even went as far as providing a monetary reward to the winning department.

Whether or not the approach of support over punishment works for all companies and employees remains to be seen, but the success of Wang's encouraging approach could at least be backed by stats. After running for a year and a half an issuing the award to eight processing departments, ReSource Pro found that 93 percent of its 1600+ employees had participated and 154 award submissions were received.

"The award created unprecedented employee engagement," said Wang.

And aside from increased employee engagement, there was -- more importantly -- a measurable positive impact on the company's security. "There was a reduction in security compliance issues," said Wang, who pointed to a subsequent downward trend over the years in the company's internal policy compliance issues. While there were six in 2011, there were only four in 2012, and then a mere there in 2013.

"With this approach, there was an impact on risk mitigation rather than technology prevention," he said.

The positive encouragement in an attempt to spread security awareness was not just limited to the award, however. Wang also mentioned a number of other methods he adopted to help mitigate insider risks, ranging from the simple to the unorthodox.

Wang admitted that even as the person who was responsible for creating ReSource Pro's security policies, he couldn't remember every last one of them; it simply isn't feasible without reminders. So one of his more basic approaches to increasing awareness involves educating employees of security and privacy policies by having them pin up colorful, engaging lists in their cubicles. Similarly, the company circulates simple comics constructed from internet memes to remind employees of the proper course of action in certain scenarios, like repeatedly entering a password incorrectly.

But some of the approaches were even a little more creative, like a crossword puzzle for which all of the answers referenced security policies. Employees can even be reminded by an audio prompt -- humorously similar in nature to a pre-recorded aircraft safety video -- how to properly close up shop at the end of a work day without creating any risk of a security breach (leaving computers on or logged in with sensitive data open, leaving physical documents or written passwords out on one's desk, etc.).

By using these kinds of methods, said Wang, "I believe security policies will not be that hard to remember."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Wang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Hatchimonji

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place