On Thursday 24th September, we hosted Human Layer Security Live – a single virtual event dedicated to bringing you actionable insights into detecting and mitigating insider risk in your organisation.
We were joined by an incredible line up of speakers, including:
- Eric O’Neill, former FBI counter-terrorism and counterintelligence operative
- Lisa Forte, Partner at Red Goat Cyber Security LLP
- Christian Toon, CISO at global law firm Pinsent Masons
- Ed Amoroso, CEO of TAG Cyber LLC and former-CISO of AT&T
- Jon Seeger, Information Security Manager at international law firm Linklaters
- Ste Watts, Head of Security Operation at Aldermore Bank
- Tony Pepper, CEO and Co-founder of Egress
- Neil Larkins, COO and Co-founder of Egress
Every speaker at the event is an expert in insider breaches – whether they caught the most damaging spy in US history; advise organisations around the world on their human layer security strategy; manage security programmes, processes and personnel for global firms; or lead a company that designs and delivers security technology that addresses real business needs.
Unsurprisingly, their talks were packed with amazing insights into how you can mitigate insider breach risk in your organisation – and we’ve hand-selected 20 of our favourite top takeaways for you.
Don't forget - you can watch all of the sessions on-demand here.
1. Human layer security is a differentiator right now, but it's rapidly becoming the norm
Throughout the event, our speakers talked about the urgent need for intelligent technology, like contextual machine learning, that can remove human error from simple business processes, such as sending an email.
This topic was discussed by Jon, Ste and Tony during our panel session, in which they described human layer security as a factor currently setting firms apart by helping them to provide clients with assurance their data is protected, while also providing better security experiences for employees.
But this won’t last long – both agreed that this technology is being rapidly adopted by organisations globally, and will soon become part of the default tech stack for any business.
2. Static rules-based DLP is no longer enough to protect data shared over email…
Static DLP is unable to create context and understand, for example, when it’s right to share data with specific recipients – and when human error may have caused a mistake. As highlighted by Jon in our panel session, static DLP alone isn’t enough to help organisations remain agile and competitive in today’s world.
(Read our recent blog that covers this in more detail.)
3. …So it can’t help us when we inevitably make mistakes
All our speakers acknowledged that insider risk is predominantly created by non-malicious employees, who are simply making mistakes. And two of the most common errors? You guessed it – autocorrect suggesting the wrong email recipient and leaking data via email attachments (i.e. attaching the wrong file, forgetting to redact/remove data, or hidden data not being spotted).
4. Understand that there is a big gap between how technology is seen by security and compliance personnel, and how it's seen by other colleagues
A point highlighted by Lisa in her presentation: non-security colleagues will see technology a means to an end, and not necessarily identify the inherent risks of using commercial solutions, like file sharing sites, for corporate data.
5. Encourage reporting, but don’t rely on it
Another theme discussed by Lisa was the reliance on people to self-report or to report colleagues when security incidents occur. In fact, recent research shows that 62% of CISOs rely on people-based reporting for email data breaches. But, as Lisa’s own experience receiving a misdirected email highlights, this isn’t a reliable way to monitor the risks in your business.
6. You can measure your own email breach risk
The first step to mitigating risk is understanding how big the problem is within your organisation. As Neil highlighted during his session, Egress Investigate 365 is a free tool that provides insight into the number of email security incidents your organisation has experienced in the last 12 months. Find out more.
7. Remote working during the COVID-19 pandemic has amplified insider data breach risk
There isn't a single organisation globally that hasn’t introduced new processes as a result of COVID-19 and social distancing. All our speakers noted this – whether it was the new distractions highlighted by Eric or the need for new technology discussed by Ste.
As a result, new risks are emerging – whether that’s simply because we’re all sending more emails now, so statistically we’re going to make more mistakes (as Neil talked about), or because rapid digital transformation has introduced new processes with risks that haven’t been anticipated.
8. And when people are under pressure, it’s the worst time for security
Whether you’re the US’s most notorious spy being put under pressure to leave your PalmPilot behind for the FBI to copy or just stuck in an over-running Zoom meeting while your boss is reminding you of an over-due deadline, people under pressure are far more likely to make mistakes.
9. Data is the currency of our lives, and we need to protect it!
As services are driven online and long-term remote/flexible working continues, it's important that security is hardwired into how organisations collect, share and store data - including protecting information from accidental and intentional data leaks caused by internal employees and trusted third parties. Luckily, intelligent technologies like contextual machine learning are making this easier to do than it has been before.
10. Any security technology and processes you put in place shouldn’t make life harder for your employees
Another factor all our speakers were passionate about is providing great security experiences through technology! In particular, Lisa and Ste both cautioned against introducing too much friction into existing processes (such as turning off Outlook autocomplete in the name of security!), and Neil highlighted how we use intelligent technology to improve user experience. (We’d love to show you how our technology works – you can request a demo here.)
11. Beware false positives!
Ed Amoroso spent time explaining how false positives can become damaging for security, as employees ultimately become fatigues by them and end up not engaging properly when the threat is real. He argued they need technologies that help them truly and accurately define what is and isn't a security risk.
12. In security, culture is everything
All our speakers are passionate about promoting positive security culture, with particular insights coming from Christian and Ed on how to create positive security culture. We have to recognise that every organisation has its own unique corporate culture and, specifically, its own unique security culture. And some tactics that work in one company or one industry might not work in another – but everyone’s main aim must be to create a culture of transparency, trust and accountability.
13. Make your security programmes personal
During his presentation, Christian discussed Pinsent Masons’ ‘Ask us anything’ campaign – where employees could come to the security team and ask any questions related to security. It didn’t have to be something to do with their job at the firm, and they even had questions about internet banking and cyber-bullying. As a result of this personalisation, the firm’s employees were more invested in security and improved their security practices both at work and at home – which was a win-win for everyone!
14. Accept that people think that they know more about security than in reality they actually do!
Lisa discussed the Dunning-Kruger effect – which proves that when people know a little bit about a subject, they tend to over-estimate the extent of their knowledge. As a result, these individuals are normally over-confident in their abilities and therefore much more likely to take the risks that lead to insider data breaches.
15. Identify high-risk targets within your organisation - and help them!
When explaining how organisations can begin mitigating insider risk, Lisa advised delegates to accept that some people are more likely to put sensitive information at risk than others, purely because of their role or responsibilities within the company. As a result, they're the people who will become more attractive targets for phishing attacks or more likely to accidentally attach the wrong document to an email and leak sensitive data, purely because they are surrounded by more sensitive information than other users within your company.
Making sure they receive bespoke support is important when preventing the most damaging types of insider data breaches.
Whether it’s 5,000 tubs of Jelly Beans, a pizza party, CPE points or a gift voucher, both Christian and Ed outlined that there are lots of ways to reward people for good security behaviours, and for engaging with your security programme and processes. And this positive affirmation will go a long way in creating the right security culture.
17. Include your whole demographic
When building or evolving your security culture, you need to include and be sensitive to the needs of your whole employee base. As Christian pointed out, this stretches from recognising the infrastructure available in certain locations, to tailoring content around regionalised values, such as cultural or political norms.
18. Help employees understand the importance of internal security by showing them the consequences of a breach
As Lisa explained, one way to help non-security colleagues understand how important it is to protect sensitive information, is to highlight case studies of what can happen when things go wrong. This shouldn't be aimed at creating fear, but often, people outside your immediate team won't actually know how an organisation can suffer when things go wrong. This can help to create meaningful accountability.
19. Everyone needs guiderails to help them work securely
As highlighted during our panel with Jon and Ste, employees can operate with the best of intentions but without the correct support, they’re inevitably going to put data at risk because they’re only human. The right technology and processes should act guiderails so that great employees can simply focus on getting their jobs done.
20. The time to act is now!
The pressure continues to build on organisations to prove to their clients, data subjects and regulators that they can genuinely mitigate all security risks, including insider breaches. Human layer security is critical to providing this assurance - and we'd love to show you how we can help. Get in touch today to see how our intelligent technology works.