Following the release of the Phishing Threat Trends Report, we recently hosted the Human Risk Summit, a coming together of some of the biggest names in the industry to discuss the human element and the role it plays in cybersecurity.
In this post, we’ll recap some of the themes, statistics, and insights from two of our speakers – Nadine Michaelides of University College London and Jinan Budge of Forrester.
“Who’s Your Riskiest Employee? Understanding the Psychology Indicators of Risk”
Nadine Michaelides, Cyber Psychologist at University College London, and Founder of Anima People
Nadine started by highlighting a few examples of insider threats in a corporate context. She mentioned the following as examples:
- An engineer who steals trade secrets and sells them to a competitor
- A maintenance technician who cuts network server wires and causes a fire
- A customer service representative downloads clients contact information and emails it to a personal account for use when starting their own business
- A database administrator accesses client financial information and sells it on the dark web
- An employee clicks on a phishing link in an email, even though they suspect it may be a threat
Insider threats happen for many reasons including negligence, disgruntled employees (present and past), financial motivation, and deliberate criminality. Nadine used three examples to illustrate how different circumstances could cause different types of insider threats.
Example one – Two customer service agents working at a major bank disagree with their manager on how to prioritize internal targets and decide to look for other jobs as a result. One of the agents is distracted and on two separate occasions forwards sensitive information to multiple recipients using the Cc function instead of Bcc.
Example two – An unemployed software engineer is approached by someone in a tech forum and asked to steal company secrets from a target organization and inform foreign intelligence. This individual then successfully infiltrates the company in question.
Example three – An individual has a great relationship with her manager and was promised a promotion. The manager leaves the organization and the interim manager neglected the promised promotion. The relationship deteriorates and due to the individual’s state of mind, they click on a malicious phishing link in an email which results in cybercriminals stealing sensitive company information.
Human beings are complex and there is no ‘one size fits all’ approach to security.”
In keeping with main topic, Nadine explained that there are multiple types of insider threats and she’s developed eight tips to detect and avoid insider threats:
- Evaluate and improve security policies
- Screen new hires
- Monitor and report disgruntled or compromised employees
- Facilitate regular cybersecurity awareness training
- Don’t neglect physical security
- Examine past insider threat incidents
- Secure off-boarding processes
- Balance employee privacy with company security
The different indicators of insider risk can be divided into behavioral or digital.
The behavioral indicators can include:
- Regularly working off-hours
- Attempts to circumvent security processes
- Displays of resentment toward coworkers or managers
- Contemplating resignation or discussing new opportunities
- Dissatisfied individuals – former employees, contractors, venders, or partners.
The digital indicators include:
- Accessing company applications and networks at unusual times
- Attempting to access resources that they do not normally access or do not have permission to access
- Using unauthorized devices like personal USBs
- Emailing sensitive data to recipients outside of the organization
- Network crawling and deliberate search for sensitive information
- Surge in volume of network traffic – someone copying large amounts of data will result in unusual spikes in network traffic
- Attempting to access data that is not related to their job function
- Network crawling and deliberate search for sensitive information
- 34% of businesses around the world are affected by insider threats
- Businesses in the United States encounter a total of over 2,500 internal security breaches daily
- Over the last two years, the number of insider incidents has increased by 44%
- The cost per insider threat in 2022 was $15.38m
“The future is adaptive”
Jinan Budge, Vice President and Principal Analyst at Forrester
Jinan starts by highlighting the difference between where cybersecurity started and where it’s going:
- Humans were once considered the weakest link, and businesses are starting to realize that the responsibility of security training rests on their heads, and not those of the employees
- Where there used to be no link between cybersecurity posture and the human element, businesses today know that these two are intimately linked
Jinan advocates for what she calls ‘adaptive human risk protection’, which can be classified as a more modern, more dynamic version of previous cybersecurity understanding.
Cybersecurity regulations and frameworks, in some cases, were created over a decade ago and consequently are largely out of tune with where the cybersecurity industry has moved. Forrester reviewed 45 global cybersecurity compliance laws and discovered that 17 of these regulations were drafted over a decade ago. A further eight were created over 20 years ago and six were drafted before the year 2000.
A survey conducted in the United States reported the ways in which people and organizations measure effectiveness when it comes to training. Of those surveyed, 84% said ‘completion rates’ were a key indicator of program success. 72% said the effectiveness could be measured in the number of phishing clicks and 67% said evaluations.
Jinan explains that we need to extend our understanding of cyber safety behaviors. Instead of focusing on completion rates and attendance, focus on the number of employees reporting phishing attacks, simulated attacks, or security incidents.
In the future of cybersecurity, there is going to be a really strong link between the human risk and security posture.”
Next you need to establish behavioral baselines and targets. These behaviors can be categorized by daily security practices like using password managers and enabling auto-updates. The higher levels of security knowledge include practices like blocking pop ups, turning off Bluetooth and clearing cookies regularly.
Quantifying the human risk is another critical step in improving your company security in an online space, so you can set limits and measure security behaviors seamlessly and quickly. Do not base these numbers on quiz results but on everyday interactions with potential risk scenarios.
Next, businesses and CISOs need to initiate interventions where they are needed most. These interventions can be policy-based or training-based. These lessons need to be delivered in real-time, real-life scenarios.
Finally, you need to codify security culture. Measure attitudes, cognition, norms, and responsibilities around cybersecurity and conduct cultural assessments to help you understand the sentiment around cybersecurity in your organization.
- According to Forrester’s Security Survey from 2022, only 12% of businesses that took part in the survey have a security training program that “not only changes behaviors but also embeds long-term, sustained security cultural change”
- 9% of businesses that took part in the survey do no security training whatsoever
- 84% of businesses measure security training success on completion rates
- 4% of businesses do not measure the effectiveness of security training at all
Watch the full "The future is adaptive" recording.