By Holly Rostill, Security awareness and cyber workforce manager
When companies hear ‘insider threat’, the image that comes to mind is of a malicious employee selling secrets and causing disruption. In reality, the most common threat facing an organisation from the inside is accidental security incidents. This was demonstrated in a recent study where 78% of IT leaders said their employees had accidentally put company data at risk in the last 12 months1.
These incidents can be caused by a number of factors, including: security processes which are poorly designed and make it difficult for employees to perform their role; staff making genuine mistakes due to being tired or overloaded; or users being unsure or unaware of the security behaviours they need to demonstrate and why. This highlights the need to understand what security behaviours people are demonstrating and what is driving them. Only then can organisations seek to influence and change security behaviour for the better.
Currently, evaluating security culture within an organisation relies on point-in-time qualitative assessment and the use of single data points e.g. phishing click rates, which has limitations in the depth and breadth of insight that can be derived. Furthermore, it is common for the supporting security training and awareness to be static, relying on annual activities and occasional emails. As technical security controls mature, and the amount of network and endpoint data being generated increases both in volume and granularity, we’ve asked: can a data-driven approach to security culture drive greater insight and more meaningful security culture change programmes?
By connecting the rich data from a threat detection solution, such as our managed cyber defence (MCD) platform, to a security culture and awareness programme, we can gain greater insight into user behaviour. Given the visibility and access the solution has over the network and endpoint activity, we can understand user behaviour in greater depth and begin to understand what they are doing and potentially, why.
We are able to then gather data on specific security behaviours that are relevant to the organisation’s current threat landscape. This gives us greater insight to drive our security culture and awareness programmes. Furthermore, better data on common incidents or near misses can be collected across different demographics and used to refine awareness campaign timing and audience, helping to maximise impact. This greater level of insight into user behaviour can improve reporting in relation to specific threat vectors.
Using a threat detection platform, such as MCD, as an enabler for this gives us the ability to customise and tweak the messages that users see in line with the security culture programme. In addition, it also gives us the opportunity to give timely messages to the user based on actions they are about to take, or indeed on emerging threat vectors from our threat intelligence trends, which they may need to be aware of.
The data gained from threat detection platforms can identify where additional investigation may be required to determine root causes and then design more impactful and meaningful interventions. For example:
These custom-designed interventions and messages can be used to encourage good security behaviour. For us, this is about using data to encourage and reward good security behaviour, and to enable positive change for the organisation.
The key to the success of these kinds of tools is understanding how they can be used to enhance an existing security culture and awareness programme and how you can bring the users along on the journey. Data has its place, it won’t replace the qualitative assessment, but it can serve to enrich the picture, adding both depth and breadth across the entire workforce.
Being able to add rich quantitative data to a security culture programme, as well as the existing qualitative data, brings a whole new perspective on user behaviour that we have not had before, giving us the power to tailor messages and reach individual users in a more impactful way.