Your Best Asset? An empowered and aware workforce.

I would offer that, in our ardor to discover yet another algorithm or create yet another complex software suite to counter the malicious insider or, almost as dangerous, the persistent state-sponsored threat, we are missing the best, and ironically the least-expensive method to mitigate these threats.

What is it?

Work to create a culture of an informed, empowered and committed workforce, fully appreciative of the threat and knowledgeable of the signs of concerning behaviors on the part of co-workers, and specifically what to do and who to call in the event they see something suspicious or worrisome.

Coupled with enthusiastic corporate leadership and demonstrated commitment to seeing this simple but essential training and education of the workforce take place - this is the simple elixir that will make the difference.

If there is little or no perceived commitment by the "boss", or the Director/CEO, then the likelihood for success is almost nil, as the effort will be perceived as just another exercise and 'block-checker' directed by management.

Employees with a true sense of 'ownership' are the best first line of defense against the myriad of cyber, physical and even clever social engineering threats arrayed against them. After all, they are just protecting their own jobs by protecting the company's intellectual property, reputation and future financial success.

Unfortunately, the default position of human nature and the prevailing attitude is more in line with what I noted in my first blog-- Tony Robbins pointed out that [only] 29% of employees are "engaged" in their work. Just for fun, the next time you go into a big box store, or even a very high-end boutique store, take a moment to assess the demeanor and attitude of the employee you encounter -- try to get a sense of their 'ownership' of their department, section, or the store as a whole. If your experience is anything like mine, it won't be very high.

So what does all this mean?

You and your security team will have an uphill battle trying to establish and maintain this true sense of ownership. It will require work. It will require you and your staff getting out and mixing it up with the workforce. It might even require your team creating rewards and other incentives for them to highlight vulnerable or unworkable, unrealistic systems, policies, or procedures. A sterile, bi-monthly 'security awareness' meeting is not going to be enough to change the culture, period.

In today's highly interconnected workplace, there is of course a clear requirement for the best-of-breed software - threat detection software that analyzes behavior patterns is the most sophisticated and creative of these.

But the key to turning the tide of these threats is the tailored and compelling scheduled and ad-hoc awareness training for employees, taught by approachable and experienced security staff, is really the way to go. Why? It's all about the people.

Here are a few ideas:

  • Educate and train employees semi-annually on security and what the latest threats are- contact the local FBI office for the most current information.
  • Ensure that proprietary information is protected and limit access to those systems staff needs to do their jobs. When employees leave or change jobs, promptly revoke access.
  • Ensure comprehensive due-diligence research and background checks before hiring new employees.
  • Provide non-threatening, convenient ways for employees to report suspicions.
  • Routinely monitor networks for suspicious activity. Publish anonymized results of audits so employees will see that polices are being enforced -- this will serve as a strong deterrent to those who may not "do the right thing when nobody is looking". On the other end, reward those employees who are of service to their fellow employees and the Organization.

Will this proven method of engaging the workforce to be partners with HR, managers, and security result in increased vigilance and identify the next disgruntled employee or malicious contractor like Snowden?

A review of past espionage cases suggests that many, but not all, display indicators that should have (and sometimes did) arouse concerns on the part of co-workers and were reported. But not all culprits display such indicators to co-workers, which is why sophisticated data encryption, two-factor identification and threat detection software that is behavior-based is also critical to meeting the threat.

While there is much to be said for a blended approach to this issue, we cannot afford to ignore the single most powerful defensive tool our security toolbox -- fellow employees who are aware of the various threats, understand basic warning signs of concerning behavior, and know whom to call so as to possibly avert the next data breach.

Join the CSO newsletter!

Error: Please check your email address.

Tags (no company)securityinsider threatssecurity awarenessawareness training

More about FBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Coyle

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts