Join America Back to Work, a weekly podcast, video, and blog series that covers timely and relevant topics affecting the labor market and workforce with industry experts. The series includes recruiting, hiring, retention, employee satisfaction, customer service, background screenings, and more.
The Trojan Horse: Internal Cybersecurity Threats
When you hear cybersecurity threat, you might think of a shady phishing attempt from another country or a mass data leak caused by tech failures. But your organization’s biggest cybersecurity threat isn’t external–it’s right under your nose (and probably on your payroll).
A recent IBM study found that insiders carry out 60% of cybersecurity attacks—maliciously or accidentally (the ratio remains debatable).
No matter the size or scope of a breach, it’s usually caused by an action (or failure) of someone within the company.
Often, it’s simply human error; it’s an employee with access to and control of your technological systems (think IT professionals and executives) who misplaces a device or misaddresses an email with confidential data.
Usually, employees—with limited awareness of or education around cybersecurity—make decisions that expose their systems to threats (like choosing an easy-to-guess password or working from personal devices on unprotected networks).
Sometimes, though, employees leak passwords intentionally, steal competitive information, or sell confidential data. This kind of internal cybersecurity threat usually comes from a disgruntled employee with malicious intent to harm the well-being of your organization.
Whatever the reason for the internal threat–human error, lack of awareness, or revenge–one thing is clear: cybersecurity is an HR problem.
Creating a Culture of Cybersecurity
It’s up to recruiters to screen for red flags and hiring managers to spot dishonest candidates. It’s up to HR professionals to help mitigate risk when an employee becomes disgruntled.
Ultimately, it’s up to your entire people operations team to create a culture of cybersecurity that raises awareness for security threats, educates employees on what to do when presented with one, and inspires employees to protect your business even when no one is looking.
Here are our top three tips for creating a positive cybersecurity culture at your organization:
Treat Cybersecurity as a Required Skill
Ensure you’re hiring with security in mind: find ways to gauge a candidate’s aptitude for cybersecurity before they walk through your door. Add security-focused questions to your interview process, chat with references about any concerns, and be sure your hiring teams are trained to screen for this.
This will not only help you make the right hire, but it will also set the tone for the candidate regarding cybersecurity at your organization.
To reinforce this tone, consider offering regular cybersecurity awareness training for current employees—such as the industry-leading NINJIO microlearning platform. This kind of training signals to new and veteran employees alike that cybersecurity is a core skill needed to work at your organization–a skill to be worked on and mastered during their employment.
Never Stop Talking About It
The conversation about cybersecurity should never cease. Cybersecurity should be a recurring theme from onboarding to regular company communications. Engaging employees from the outset in security practices and maintaining this focus helps ensure that security remains a top priority for everyone.
During this time, you can get employees excited about their role and excited about being an ambassador for cybersecurity at your organization.
Cybersecurity presentations, training, and communications should start when an employee becomes a candidate (which is onboarding for most) and continue through their tenure. Onboarding is the perfect time to teach strong password practices, WiFi security precautions, safe email habits, and more–the basics of cybersecurity.
From there, be sure to regularly write about security in company-wide emails, find a way to work it into the conversation in team meetings, and conduct training at a consistent cadence. These practices will help you get buy-in for your cybersecurity strategy from all levels of the organization and ensure that cybersecurity stays top of mind for employees.
Get to Know Your People
Recent 2022 Q3 data from Kroll, an industry-leading risk advisory solution, shows that insider threats accounted for nearly 35% of all unauthorized access cyber incidents compared to 25% in Q2 (the highest quarterly percentage).
Of those internal threats, most came from disgruntled employees during the termination process. That means: it’s critical to keep an active pulse on employee engagement throughout the year to bolster your security defenses.
Moreover, organizations nationwide are experiencing unprecedented turnover (see: The Great Resignation) and dealing with a rapidly changing post-pandemic work landscape. In this modern labor market, the threat of turnover is high—leaving more room for conflict with employees on their way out.
Conducting employee feedback surveys regularly can help you collect up-to-date information about employees’ feelings. Even if anonymous, surveys paint a heatmap for where to manage risk (what areas, what teams, etc.).
Encourage managers to schedule regular check-ins with high-risk employees and to more closely monitor their behavior at work. And, if possible and permissible, manage high-risk employee activity on your company systems. Sometimes, the stakes are too high not to take this kind of action.