Rediscover Confidence in Cybersecurity | MIT Technology Review

The world has changed dramatically in a short time, changing the world of work along with it. The new hybrid world of remote and office work has ramifications for technology, specifically cybersecurity, and signals that it is time to recognize how intertwined humans and technology really are.

Enabling an accelerated, cloud-based culture of collaboration is critical for rapidly growing businesses, positioning them to innovate, outperform and outsmart their competitors. However, achieving this level of digital speed comes with a rapidly growing cybersecurity challenge that is often overlooked or de-prioritized: internal risk, when a team member accidentally or not shares data or files outside of trusted parties. Ignoring the intrinsic link between employee productivity and internal risk can affect both an organization’s competitive position and its bottom line.

You can’t treat employees the same way you treat nation-state hackers

Internal risk includes any user-driven data exposure event (security, compliance, or competitive nature) that jeopardizes the financial, reputational, or operational well-being of a company and its employees, customers, and partners. Thousands of user-driven data exfiltration and exposure events occur daily, stemming from accidental user errors, employee negligence, or malicious users trying to harm the organization. Many users accidentally create internal risks, simply making decisions based on time and reward, sharing and collaborating with the goal of increasing their productivity. Other users create risks due to negligence and some have malicious intent, such as a employee stealing company data to carry a competitor.

From a cybersecurity perspective, organizations must treat internal risk differently from external threats. With threats like hackers, malware, and nation-state threat actors, the intent is clear – it’s malicious. But the intent of employees creating internal risk is not always clear, even if the impact is the same. Employees can leak data by accident or negligence. Fully accepting this truth requires a mindset shift for security teams that have historically operated with a bunker mentality: under siege from the outside, holding their cards close to the vest so the enemy doesn’t get information on their defenses to use against them. . Employees are not the adversaries of a security team or a company; in fact, they should be seen as allies in the fight against internal risk.

Transparency breeds trust: laying the foundation for training

All companies want to prevent their crown jewels (source code, product designs, customer lists) from ending up in the wrong hands. Imagine the financial, reputational, and operational risk that could come from material data leakage prior to an initial public offering, acquisition, or earnings call. Employees play a critical role in preventing data leaks, and there are two crucial elements to turn employees into internal risk allies: transparency and training.

Transparency can be at odds with cybersecurity. For cybersecurity teams operating with a proper adversary mindset for external threats, it can be challenging to approach internal threats differently. Transparency is about building trust on both sides. Employees want to feel that your organization trusts them to use data wisely. Security teams should always start from a place of trust, assuming that the majority of employee actions have a positive intention. But, as the saying goes in cybersecurity, it is important to “trust, but verify.”

Monitoring is a critical part of internal risk management and organizations must be transparent about it. CCTV cameras are not hidden in public spaces. In fact, they are often accompanied by signs advertising surveillance in the area. Leadership must make it clear to employees that their data movements are being monitored, but that their privacy is still respected. There is a big difference between monitoring data movement and read all employee emails.

Transparency builds trust, and on that basis, an organization can focus on mitigating risk by changing user behavior through training. At the moment, security education and awareness programs are a niche. Phishing training is probably the first thing that springs to mind due to the success you’ve had in moving the needle and getting employees to think before they click. Outside of phishing, there isn’t much training for users to understand what, exactly, they should and shouldn’t do.

For starters, many employees don’t even know where their organizations are. What applications can they use? What are the participation rules for those apps if they want to use them to share files? What data can they use? Do they have the right to this data? Does the organization even care? Cybersecurity teams deal with a lot of noise from employees doing things they shouldn’t. What if you could reduce that noise just by answering these questions?

Employee training must be proactive and responsive.. To proactively change employee behavior, organizations must provide short and long training modules to educate and remind users of the best behaviors. Additionally, organizations must respond with a microlearning approach using small videos designed to address very specific situations. The security team should take a page from the marketing, focusing on repetitive messages delivered to the right people at the right time.

Once business leaders understand that insider risk It is not just a cybersecurity problem, but it is intimately intertwined with the culture of an organization and has a significant impact on the business, they will be in a better position to innovate, outperform and outsmart their competitors. In today’s hybrid remote and office world of workThe human element that exists within technology has never been more significant, which is why transparency and training are essential to prevent data from leaking outside the organization.

This content was produced by Code42. It was not written by the editorial staff of MIT Technology Review.

Leave a Reply

Your email address will not be published. Required fields are marked *