Business leaders are looking ahead to a post-pandemic workplace, and one thing is clear: insider risk is the most prevalent threat to organisations today and one of the most complex problems to solve. So, what can you do to keep sensitive data secure now and in the future?
On 22nd April 2021, we hosted Human Layer Security Global to find out. It was tough to choose but we’ve managed to pick out our top 17 takeaways from industry thought leaders and expert speakers from leading brands for you to enjoy below.
1. Non-malicious insiders are one of the biggest risks businesses face
Jessica Barker, Co-founder and Co-CEO, Cygenta – Threats of the future: Predicting and mitigating the next wave of insider risk
Non-malicious insiders are far more common than malicious insiders, and one of the biggest risks organisations face. The mistakes that lead to breaches are normally made by people who are stressed, under pressure, not trained properly, or unfamiliar with best practice.
According to Club CISO data, it’s highly unlikely organisations will have a material incident caused by a malicious insider. Social engineering was the most common vector for material cybersecurity incidents. Even though these threats are external, they still need to take advantage of a non-malicious insider to cause harm.
2. Security leaders need to put controls in place to empower people to do their jobs
Rachel Wilson, Head of Cybersecurity, Morgan Stanley – Panel: The impacts of insider data breaches
The onus is on security leaders to give people the right tools to do their jobs and prevent them from causing breaches. It’s not in anyone’s best interest to make it difficult for people within an organisation to report a breach.
Having said that, we don’t want to create a culture of fear when employees report themselves or colleagues. A good, positive culture helps to ensure failsafes are in place for good security – but there is of course a fine line when people make the same mistake several times over.
3. Organisations don't know the scale of outbound email data breach incidents
Neil Larkins, COO, Egress – Data-driven security: Using machine learning in the battle against breaches
Organisations tend to have a certain level of awareness of email data breaches. However, we recently launched a new version of our Egress Analytics platform that has uncovered a lot of incidents they weren’t aware of and given them insight into the true scale of the problem within their business. Usually, it’s nine to 10 times worse than they realised.
We’re surfacing these metrics so businesses can put the right protections and systems in place to keep their data secure. This is especially important given the changes in working environments over the last 12-14 months and subsequent rise in accidental breaches.
4. Security can't be all about compliance and not about behaviours
Matt Finn, Head of Information Security and Resilience, DLA Piper LLP – Why organisations are putting people first in 2021
Security is often seen as the “police or business blockers” – but that’s not the philosophy of DLA Piper LLP. When security only focuses on compliance, it leads to security fatigue and people taking short cuts. So DLA Piper chose to engage people with a different approach.
They added an element of gamification with a phishing competition for their lawyers, which ultimately was able to change behaviour and lead to increased reporting. In doing so, they managed to make security more human – and have seen a marked increase in people contacting the security team to report incidents and talk about security.
5. Your clients' #1 priority is their data security
Rachel Wilson, Head of Cybersecurity, Morgan Stanley – Panel: The impacts of insider data breaches
Clients care deeply about data security as a whole, although not necessarily about the specific source. Polls among Morgan Stanley Wealth Management’s customers for the last four/five years have shown that their main concern is risk to their personal data.
Morgan Stanley’s clients have high expectations for the firm and a low tolerance to data breaches – regardless of whether a breach is caused by an accident or through malicious intent. However, that does mean data security can be a competitive advantage when done right!
6. Deep fakes will be the next big cause of insider breach risk
Jessica Barker, Co-founder and Co-CEO, Cygenta – Threats of the future: Predicting and mitigating the next wave of insider risk
Cybercriminals follow the numbers – the more we communicate in a certain way, the more they’ll try to exploit it. Video communication has increased throughout the pandemic and cybercriminals will have taken notice.
We’re already seeing a rise in deep fake technology that’s highly convincing, and now we need to consider how social engineers will use this to take advantage of non-malicious insiders. For example, a deep fake using a CEO’s voice to create a voice message asking for a transfer of funds.
7. Trust is at the centre of insider risk
Geoff Brown, CISO, City of New York – Anatomy of insider risk in 2021
Who do you trust? It’s a calculation we make every day. We choose our friends, doctors, lawyers, social media platforms, and news sources. Trust underpins our society – but when it’s misplaced it can have devastating consequences.
Just like in other areas of our lives, we need to use our judgement to minimise exposure to insiders who could cause us risk. To combat insider risk, it’s important to create a culture in an organisation where people can trust each other. They should also believe it’s in their best interest to protect their organisation.
8. Email is mission critical – and security shouldn’t affect that
Matt Finn, Head of Information Security and Resilience, DLA Piper LLP – Why organisations are putting people first in 2021
We’re sharing more digital content than ever and email remains a mission critical channel, so anything that slows it down is a concern. People now expect technology to dynamically respond to their behaviour and have security automate in the background.
Businesses can no longer afford to have a trade-off between security and productivity. We need to build trust in technology, demonstrate its risk reduction, and keep productivity high.
9. We can't lock down communication channels – we have to make them secure
Stephen Williamson, Head of Internal Audit Information and Information Security & Data Privacy, GSK – Panel: The impacts of insider data breaches
We operate collaboratively and have so many channels of communication available to us, such as email, Microsoft Teams, social media – and organisations need every one of them to be effective. They simply they wouldn’t survive by locking channels down or locking users out.
Getting the balance between productivity and keeping things secure is the crucial aspect, as every channel provides an opportunity for data to be breached. We can monitor channels but we also have to rely on our people, trusting their good behaviour and awareness of doing the right thing.
10. Email DLP needs both unsupervised AND supervised machine learning to be successful
Neil Larkins, COO, Egress – Data-driven security: Using machine learning in the battle against breaches
Machine learning brings many opportunities for organisations when used appropriately. It can detect context-driven incidents that traditional solutions can’t – such as failure to use Bcc, mistyped email addresses, or domain name impersonation.
At Egress, we use supervised machine learning to help provide insight at an organisational and industry level, as well as unsupervised machine that parses user data to deeply understand their behaviours. A lot of the patents we’ve been recently granted have been around how we can make our technology smarter to remove the admin burden of traditional DLP solutions.
11. We need to be more "Spock" and less "Homer"
Jessica Barker, Co-founder and Co-CEO, Cygenta – Threats of the future: Predicting and mitigating the next wave of insider risk
Even well-trained, educated and experienced individual can make mistakes. This is because people process information in two ways. The first is to be calm, considered and logical, which we can call the “Spock” way of thinking. In this state, people are hard to manipulate.
Phishing emails are designed to push us into the “Homer” (Simpson) way of thinking, to trigger quick thinking and emotion-based responses. These phishing emails will come from figures of authority and create a sense of urgency. When people calm down into their “Spock” state, they realise they’ve been scammed.
12. COVID-19 has accelerated insider risk
Tony Pepper, CEO, Egress – Why organisations are putting people first in 2021
The requirement for remote and hybrid working throughout the pandemic has led to an acceleration in information being shared digitally. Unfortunately, this has also led to employees working longer hours, being more distracted, and feeling more stressed than they have before.
If we weren’t prone to making mistakes, breaking the rules or being susceptible to targeted attacks, human-activated threats to security wouldn’t happen. However, none of us are perfect, and we need a change in mindset and a fundamental shift in technical approaches to mitigate insider risk.
13. If you can be hacked, you are hacked!
Geoff Brown, CISO, City of New York – Anatomy of insider risk in 2021
All organisations need to continually hunt for indicators of threats and adversaries within their data and systems. For this to work, everyone across the organisation must know and agree that they’re accountable to be part of the defence – that they’re part of human layer security.
Executive sponsorship is key to making this happen. Employees should know the exact channels for honest accountability, so that they can quickly mitigate the impacts of unwitting insider threats caused by honest mistakes.
14. Criminals don’t break in; they log in
Matt Finn, Head of Information Security and Resilience, DLA Piper LLP – Why organisations are putting people first in 2021
Because most organisations now have robust perimeter securities, cybercriminals instead focus on logging in, rather than breaking in. Their primary goal is to use social engineering (e.g. phishing) to get people to hand over their credentials without even realising.
This has been an even greater risk to organisations in 2020/21 due to remote working. For example, during the pandemic DLA Piper went from 65 offices to 7,000 home offices overnight. Most organisations had a similar experience – and in this dispersed working environment, it’s more important than ever that individuals are secure.
15. Intentional insider breaches need a different approach
Stephen Williamson, Head of Internal Audit Information and Information Security & Data Privacy, GSK – Panel: The impacts of insider data breaches
Breaches can be particularly damaging when they’re intentional and pre-planned. In these incidents, individuals work out the rules and the ways around them to do maximum damage to the organisation. Training and controls are good for accidental breaches, but malicious breaches need a different approach.
Anything can be circumvented over time – so while the impacts of malicious breaches might be the same as an accidental one, they need different approaches to proactive management. The key is getting employees onboard and relying more on people-based reporting.
16. Email data breaches take ~60 hours to remediate
Sudeep Venkatesh, CPO, Egress – Data-driven security: Using machine learning in the battle against breaches
Email data breaches can be costly to deal with in a number of ways. One significant cost is the resource time involved in dealing with them. Working with one of our customers, we found that each email data breach took them 60 working hours to fix on average.
This included all remediation efforts, including security, HR, and the time spend by other teams. If you multiply this by the average number of incidents a year (180), you can see it’s a significant risk to valuable resource time.
17. Egress continues to innovate to help organisations improve security and efficiency
Tayana Bellis, Director of Product Management, Egress – Egress in action
We’re continually improving our machine learning to understand how behaviours change, which is particularly important as the pandemic has changed working habits. For example, working hours have changed, so we recognise our product now needs to work harder to identify between legitimate and abnormal behaviours.
Everyone makes mistakes – but distracted, stressed out people working on mobile devices make far more. So we also plan to leverage neuro-linguistic programming (NLP) and create data models for sentiment and emotional language to get a better understanding of compromise within a business.
Want to see more? Check out the full recording of HLS Global or choose an individual session to watch here.