How Poor Security Culture Leads to Insider Risk

Corporate leadership is expected to set the tone for the entire company. That’s especially important with regard to how the organization approaches cybersecurity. If leadership doesn’t adopt strong security practices, chances are good that same attitude trickles down throughout the rest of the company, resulting in a greater risk of insider threats.

“A strong cybersecurity culture in a company is extremely important, but often hard to find,” said Monica Jain, chief customer officer and co-founder at LogicHub.

Shut Down the Department of No

A good security culture doesn’t just happen. Many organizations treat security as the responsibility of the cybersecurity team—maybe with an assist from IT. Instead, it is an ongoing process that involves each person within the organization. Employees are assets to building and sustaining a security culture, and it’s done by including everyone within the company as an equal partner with the goal of protecting corporate data.

Security teams are often seen as the “Department of No,” quick to strike down permissions to apps, websites and all-encompassing network access. The security team sees the risks; the rest of the staff sees it as stifling productivity.

“Users need to be trained not just on what to do or not do, security-wise,” said Jain. “They need to get a better understanding of why specific practices are risky and how they can adapt to security policies, but still work efficiently.”

The more employees are valued as a security asset, the more security-savvy they become. And the more security-savvy the workforce, the better it becomes at recognizing threats and the less likely they are to turn into an insider threat.

Threat Actors Take Advantage of Poor Security Culture

Cybercriminals are constantly looking for any angle they can find to get into your network, and the easiest way to do it is to find the weakest link on the inside. Threat actors take advantage of poor security habits and cultures.

A strong security culture, for example, has systems in place that require strong passwords and multi-factor authentication with a workforce that not only understands the need for unique passwords but also puts that habit into practice. And then you have a situation like the SolarWinds hack, which involved a leaked weak password.

That lapse, in and of itself, could have been a simple mistake by someone without a solid security background, but when you dig a little deeper, it raises questions about security culture. First, why was creation of a weak password allowed in the first place? Second, an intern was blamed for the mistake; then, it was reported that the password was for a third-party vendor. A strong security culture would have systems in place for solid password management as well as a well-prepared cybersecurity response team. Strong security culture would also include a blameless culture that protects their workers rather than dump all the responsibility on the lowest person on the workplace ladder.

“When the organization faces internal weaknesses or discord in security practices, this opens the door to social engineering, malware distribution and other incursion vectors,” said Tim Helming, security evangelist with DomainTools during an email interview.

Building a Positive Security Culture

Honest mistakes happen, and even the most security-savvy user is going to fall for a phishing email or use an application without permission once in a while. Users are human. But Helming pointed out that organizations need to stop shaming users when they make a mistake. Security teams and leadership not only want employees to be upfront, they need good communication immediately about any potential compromise so the threat can be addressed quickly. Shaming users makes them less willing to come forward. The culture becomes one of secrecy and shame to avoid embarrassment or worse.

What makes a good workplace culture? It’s anything that brings joy to employees, from great benefits to ensuring a good work-life balance to casual Fridays and bagels in the break room each morning.

Helming recommended gamification as a way to build a positive security culture.

“Give away coffee cards to folks who report phishes (whether phishing awareness test emails or real phishes); take a coaching rather than punitive approach to errors,” Helming said.

“Too many organizations view security best practices as rules; handed down from IT and rigidly enforced regardless of whether they make sense,” Jain added. “We really need to shift mindsets from end-users being a security risk, to all users being part of the solution.”

Avatar photo

Sue Poremba

Sue Poremba is freelance writer based in central Pennsylvania. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 271 posts and counting.See all posts by sue-poremba