We are delighted to announce Wisdom Aveh as a guest speaker at #RISK London, opening this week at Excel.
Wisdom Aveh is a Security and Privacy Consultant at Perceptive Risk. Leveraging over 20 years’ industry experience, Wisdom has a wealth of sector-specific training and certifications.
Exclusively at #RISK London, Wisdom will appear on a panel to explore insider threats and what organisations can do to mitigate internal risk.
We spoke with Wisdom for further insight into this vital topic, and to learn more about his professional journey so far.
Could you outline your career to date?
My career journey began over 20 years ago in the British Army where I spent seven years leading various security and logistics operations. After my time in the army, I returned to education and focused on security and crime prevention.
My background includes periods with the BBC, the Metropolitan Police Service, J Murphy and Sons Limited, Thames Water Utilities, NATO, Deckers Brands and I am currently managing Information Security at Ometria.
What are the primary insider threats that organisations have to deal with?
Human risks are among the most serious that we need to focus on – risks that are already present within your organisation. In terms of what to look out for, organisations must set their baseline risk and have risk measurements in place with regards to who is coming into the organisation to manage what.
You need to be aware of the resources held within the organisation and what business areas need more attention, and within that, segregation of duties. Think about whether people are being allowed to carry out their jobs without understanding their roles and responsibilities from a privacy and security perspective.
Access control plays a big role here, looking at accounts that people have access to, and whether those individuals understand the risks involved. This can all be achieved if the leaders have the knowledge about the environments they’re working in, but unfortunately, this is where the gap exists.
Problems arise when leaders do not have any idea about security and privacy risks within the environments in which they are operating in. They may know about security and privacy but lack the understanding. They may not understand what risks the organisation and people are exposed to, before they can even try to begin implementing controls to deal with the threats.
In such a situation, the battle is lost even before it is started because the humans have now become the biggest risk to their own organisation.
What are the primary strategies that organisations are employing to combat insider threats?
Currently, owing to the rapid evolution of technology, organisations tend to be mostly focusing on technology to combat and solve insider threats. This is good, but we should note that too much reliance on technology can mean the human risk gets overlooked.
Tech can help control risk, but it can also lead to a skills gap if humans do not also understand risk. We have to understand the basics, and this begins with knowledge – putting tools and controls in place to mitigate insider risk, and supporting this with training and awareness.
Unfortunately, flooding the environment with tech can sometimes perpetuate a lazy mindset towards risk, but it’s also not cost-effective for every organisation. Small businesses with limited resources should concentrate their efforts on training and education so that workforces understand where knowledge gaps lie, and can then address those to best effect.
We should try and have an honest conversation about human skill and technology. Technology is aimed to support humans and not the other way around.
What challenges do organisations face as they bid to put together a comprehensive insider threat programme?
Challenges centre upon a lack of knowledge and risk awareness within their environments. Risk managers may be looking at data privacy, information security, health and safety, or finance, but whatever your risk sector, if understanding is missing, then there could be big problems.
We need to ensure that leaders across all departments in the business unit have a basic understanding of risk and how to measure risk within each environment that they operate in. Within this, policy and procedures need to be established before we can start to see where knowledge gaps lie. We need to get the basics right.
Secondly, when we have controls in place, we need to be aware that even the most effective controls can restrict people from doing their job. So, having strict controls within engineering departments for developers who are using open-source software tools, could be counterproductive because people will always find a way to circumvent restrictions in order to do their job without going through the right process.
We need to think about how we can put controls in place, but in a way that supports and enables productivity and not for the sake of it.