Meet the expert: Jonathan Craven to speak at PrivSec World Forum

Sponsored by OneTrust, PrivSec World Forum is part of the Digital Trust Europe series, and will take place on June 7 and 8 at Park Plaza, Westminster Bridge, London.

The two-day, in-person event will bring a broad range of subject matter experts and thought leaders together to discuss the latest goings on in data protection, privacy, and security.

Jonathan Craven is Privacy and Compliance Lead at iRhythm Technologies. He will join a PrivSec World Forum panel exploring how businesses can combat insider threats and reduce overall risk.

We spoke with Jonathan to learn more about his professional journey and to understand what firms are doing to protect themselves against those who work within the company walls.

Could you outline your career pathway to date? 

It’s been somewhat unconventional, to say the least. My academic background is in psychology, and I’ve spent most of my career to date with public sector employers – the police, local government and the NHS – working in a variety of information governance, data protection and cyber security roles. I’ve recently moved into the commercial sector, with a healthcare tech company as their privacy and compliance lead for the UK and Europe. 

While it’s not necessarily a ‘traditional’ route into cybersecurity and privacy, it’s become increasingly apparent to me that much of what we want to achieve in those areas is actually a form of applied psychology – understanding what motivates people to do (and not do) certain things; applying an understanding of normal human thinking to designing business processes and software tools to maximise appropriate behaviours; creating training that employs fundamental learning approaches and supporting tools to optimise the efficacy of that training. In that regard, I often think of myself as a “Cyber Psychologist”.

I feel that the industry is currently experiencing a boom, with far more jobs available than there are appropriately skilled people to fill them, and that’s in stark contrast to when I first started in this industry, as roles were much less commonplace then. I also think that the profile of these types of roles has risen significantly in recent years, partly driven by circumstances, such as the pandemic and the drastic rise of cybercrime, but also by an increasing awareness that effective privacy management and cybersecurity are business-critical.

What lessons can we learn from recent high-profile attacks, such as those perpetrated by the Lapus$ cybercrime gang?

For me, the most important takeaway from incidents like that is that we need to fundamentally alter our thinking about cyber breaches – from the position where we prepare our security approach as if a breach will never occur, to one where we anticipate that we will be breached at some point, and prepare our defences, risk mitigation, and disaster recovery accordingly. It’s not about a single tool or process, it’s about a long-term approach to security, incorporating multiple layers of security, redundancy, and backups. 

Sadly, very high-profile attacks are an excellent real-world example of Murphy’s Law in action – if we can conceive of a threat, it will probably happen at some point, and therefore our security approach needs to incorporate that – we cannot create our defences based on the “it’ll never happen to us” principle, as the consequences of being proven wrong are far-reaching and extremely costly.

What are the key components that should underpin a robust and effective insider threat monitoring programme? 

Primarily, I think that we have to be clear what we mean when we’re discussing insider threats, so we develop a programme to protect against the correct thing(s). The terminology “insider threat” can refer to a wide variety of circumstances and it is remiss to lump them all together. It’s also nigh on impossible to develop a ‘one size fits all’ solution.

In my experience, insider threats broadly fall into one of two categories; either malicious actors, such as a disgruntled employee, rogue contractor, etc., or genuinely well-intentioned employees who make a mistake. The latter group comprises the vast majority of the insider threat data breaches reported to the ICO annually, so it stands to reason that while we should clearly develop robust defences against malicious actors, we should also focus more effort on ensuring that the vast majority of our staff are less likely to make mistakes which lead to cyber threats.

I would also counsel to be mindful of employees’ views of tools and processes that are designed to monitor them – while taking a ‘Big Brother’ approach may seem simple and potentially effective, it has many drawbacks, not least the distrust and disengagement from staff. Starting with a surveillance approach doesn’t feel like the right way to go about building a more trust-driven security culture. Be transparent with staff about what you’re doing, and how it makes them and the business more secure, and you will get much better engagement with your security approach. 

What immediate practical measures can organisations take to begin reducing their insider threat?

Education, education, education! Staff can be an organisation’s best asset to combatting cyber threats, so it makes sense to ensure that those staff are as well-trained and supported as possible.

Firstly, I’d strongly advocate abandoning the outdated idea of a single, annual cyber security training module for staff, in favour of a more ‘drip feed’ approach – research has repeatedly demonstrated that imparting bitesize pieces of cyber security knowledge to staff on a very regular basis is a significantly more effective method of training and awareness raising. 

Secondly, ensure that you have a clear understanding of the data flows within your business. If you don’t have an accurate data flow map, you don’t know what you have, you don’t know who should have access to it, and you don’t know where it’s going. All of this adds up to a network that you can’t properly secure from insider threats. 

Thirdly, ensure that you have extremely robust identity and access management processes. 

If you can’t accurately or consistently verify users on your network, and you don’t know who should have access to what, it is incredibly difficult to ensure that only the right people have access to the right information at the right time. Moreover, robust access rights management will ensure that the wrong people don’t have access to privileged data, so it’s key to your security approach that you can discern who’s who and who should have access to what.

Finally, implement software tools that actually prompt and support staff to engage in positive security behaviours. It’s easier to nudge behaviours and processes in the right direction, rather than trying to “turn the tanker around” in one go, and it’s aided by employing software solutions that reinforce privacy- and security-positive behaviours.