Insider Threat Management

Do Your Users Really Understand Your Cybersecurity Policy?

Share with your network!

Everyone knows that a successful cybersecurity program starts with your users (the potential insider threat) understanding and following through with established cybersecurity policy. After all, they’re the individuals given licensed access to valuable systems, files, and data from the start. If they can’t maintain policy compliance, who can?

The better question might be: if your users don’t understand your cybersecurity policies, would you even notice or detect it?

According to new data presented by our newly released “Multigenerational Workplace and Insider Threat Risk” study, the answer is a resounding “Not likely.”

The Risk of the Accidental Insider Threat

There are two types of insider threats that exist in the wild: the malicious insider threat, and the less talked about negligent, or accidental insider threat. They can be either your own employees or third-party vendors and contractors.

On one hand you have an insider who has the intent to cause harm to the organisation they’re working for. On the other, you have a user who stumbles through potentially harmful situations without mal intent. The trouble is that when it comes to an incident occurring, the intention doesn’t matter so much as the resulting cost of the insider threat.

According to data collected from surveying more than 1,000 full-time employees, 65% of respondents believe they understand the concept of an “insider threat.” 64% of them also believe that careless employees, or the accidental insider threat, are the most common cause of insider threat incidents. This lines up with independent data released by the Ponemon Institute in April 2018, which suggests that negligence caused 64% of all insider threat incidents in the past 12 months.

The data suggests a lack of confidence in users understanding cybersecurity policy. So why is there not a renewed focus on coaching them on cybersecurity policy and best practices to prevent insider threat incidents?

A Potential Lack of Personal Responsibility?

90% of 45-54 year olds and 55-64 year olds reported that they follow their organisation’s cybersecurity policies. Conversely, about 34% of 18-24 year olds reported that they “don’t know” or “don’t understand” what is included within their company’s cybersecurity policy.

On the surface, it would seem that Generation X and Baby Boomers are the “least risky generations” in terms of cybersecurity, and that Generation Z poses “the highest overall” cybersecurity risk. But it gets more complicated than that when you consider the fact that the questions were rooted in self-reflection. Who is more likely to be transparent in this scenario: The Gen X or Baby Boomer with a lot to lose, or the Gen Z employee just getting started in their career?

What is important to note from this dataset is that there are overwhelming numbers of people who believe they are acting securely and an equally overwhelming number of people who believe the users are not acting securely. The truth is likely somewhere in the middle but the fact remains that the number of cybersecurity incidents continues to rise. The Ponemon data shows that since 2016, the average number of incidents involving employee or contractor negligence has increased by 26 percent, and the cost to contain an incident in North America has risen to $11.01 million.

The goal should always be to improve cybersecurity policy awareness and understanding among your users, and use each misunderstanding or mistake as a valuable coachable moment.

It also doesn’t hurt to get added visibility into user activity to better detect, investigate, and prevent incidents…