From employees accidentally clicking on malicious links, to sabotage, theft of data and unauthorised access, companies have plenty of potential insider cybersecurity threats to consider.
Exclusively at PrivSec Global this afternoon, a panel of experts put this crucial issue under the microscope and discussed best practice when it comes to mitigating risk
Jacob Høedt Larsen, Head of Communications, Wired Relations began the debate, asking for a definition of an “inside threat”.
Yanya Viskovich, Chair, Cybersecurity Risk & Governance Working Group at Swiss Cyber Forum, described it as “The unwelcome gift that keeps on giving – anything that potentially poses a risk to a company.”
“But you also need to realise that an acceptable risk to the company is not necessarily an acceptable risk to the data subject. Resilience is relative,” Yanya said.
Senior Risk Manager, Iva Goel added: ”You need to consider different types of risk. Regulations we have these days addresses the access that employees have, so it’s critical how we approach cyber threat. In terms of what to look for regarding insider threat, when you look at the triad of any system (technology / processes / people); people are aligned to the processes. If the processes are strong enough then people should not have access to certain data.”
Delving into how responsibility for mitigating risk needs to be shouldered throughout a company, Yanya said:
“It’s about organisational culture and corporate leadership. Those companies that demonstrate corporate leadership are typically proactive on this issue, as opposed to reactive. Culture determines the processes in any organisation, and values determine the culture. In companies where they are consistently approaching this seriously across all departments - these are the companies that are better able to manage and mitigate risk.
Ira Goel added: “People are the biggest assets for any organisation, we have to protect those assets (in terms of educating them), building a culture of risk recognition and transparency in data handling.”
Yanya said: ”Often there is a conflation between transparency and privacy, but they are very different. Companies that are transparent about having been hacked have a great chance to learn from cyber-attacks and strengthen themselves accordingly. Companies that have a best-in-class approach understand that everyone in the organisation has an active and key role to play in managing risk.”
“It’s difficult to generate a culture of “cybersecurity matters”, when those at the top are not leading by example.It’s important to see that we all must understand how what we do and how our access to systems and networks actually relates to the risks of our business. Individuals need to understand how their actions can directly disrupt continuity. When people understand the role they play, they become concerned and become interested in protecting the core business,” Yanya added.
Touching upon the role that must be played at board level, Ira Goel said:
“Everything must start at the top and filter down, so if leadership is not on board with what they expect everyone else to do, then culture will not grow. If the board is doing everything that we don’t expect employees to do, then how can you take disciplinary action against that employee? Or how can you take action against them because they did something that caused revenue loss?
“You can’t 100% mitigate risk, but the biggest one is training – giving your people information regularly that is focused to the audience so that they can absorb it,” Iva continued.
Yanya added:“Government regulation can help here by stipulating that boards meet certain knowledge requirements and training requirements. I think over time we’ll see certified forms of training, on GDPR understanding, for example, and I think this will develop as the threat landscape develops.”