I would offer that, in our ardor to discover yet another algorithm or create yet another complex software suite to counter the malicious insider or, almost as dangerous, the persistent state-sponsored threat, we are missing the best, and ironically the least-expensive method to mitigate these threats.
What is it?
Work to create a culture of an informed, empowered and committed workforce, fully appreciative of the threat and knowledgeable of the signs of concerning behaviors on the part of co-workers, and specifically what to do and who to call in the event they see something suspicious or worrisome.
Coupled with enthusiastic corporate leadership and demonstrated commitment to seeing this simple but essential training and education of the workforce take place - this is the simple elixir that will make the difference.
If there is little or no perceived commitment by the "boss", or the Director/CEO, then the likelihood for success is almost nil, as the effort will be perceived as just another exercise and 'block-checker' directed by management.
Employees with a true sense of 'ownership' are the best first line of defense against the myriad of cyber, physical and even clever social engineering threats arrayed against them. After all, they are just protecting their own jobs by protecting the company's intellectual property, reputation and future financial success.
Unfortunately, the default position of human nature and the prevailing attitude is more in line with what I noted in my first blog-- Tony Robbins pointed out that [only] 29% of employees are "engaged" in their work. Just for fun, the next time you go into a big box store, or even a very high-end boutique store, take a moment to assess the demeanor and attitude of the employee you encounter -- try to get a sense of their 'ownership' of their department, section, or the store as a whole. If your experience is anything like mine, it won't be very high.
So what does all this mean?
You and your security team will have an uphill battle trying to establish and maintain this true sense of ownership. It will require work. It will require you and your staff getting out and mixing it up with the workforce. It might even require your team creating rewards and other incentives for them to highlight vulnerable or unworkable, unrealistic systems, policies, or procedures. A sterile, bi-monthly 'security awareness' meeting is not going to be enough to change the culture, period.
In today's highly interconnected workplace, there is of course a clear requirement for the best-of-breed software - threat detection software that analyzes behavior patterns is the most sophisticated and creative of these.
But the key to turning the tide of these threats is the tailored and compelling scheduled and ad-hoc awareness training for employees, taught by approachable and experienced security staff, is really the way to go. Why? It's all about the people.
Here are a few ideas:
- Educate and train employees semi-annually on security and what the latest threats are- contact the local FBI office for the most current information.
- Ensure that proprietary information is protected and limit access to those systems staff needs to do their jobs. When employees leave or change jobs, promptly revoke access.
- Ensure comprehensive due-diligence research and background checks before hiring new employees.
- Provide non-threatening, convenient ways for employees to report suspicions.
- Routinely monitor networks for suspicious activity. Publish anonymized results of audits so employees will see that polices are being enforced -- this will serve as a strong deterrent to those who may not "do the right thing when nobody is looking". On the other end, reward those employees who are of service to their fellow employees and the Organization.
Will this proven method of engaging the workforce to be partners with HR, managers, and security result in increased vigilance and identify the next disgruntled employee or malicious contractor like Snowden?
A review of past espionage cases suggests that many, but not all, display indicators that should have (and sometimes did) arouse concerns on the part of co-workers and were reported. But not all culprits display such indicators to co-workers, which is why sophisticated data encryption, two-factor identification and threat detection software that is behavior-based is also critical to meeting the threat.
While there is much to be said for a blended approach to this issue, we cannot afford to ignore the single most powerful defensive tool our security toolbox -- fellow employees who are aware of the various threats, understand basic warning signs of concerning behavior, and know whom to call so as to possibly avert the next data breach.