[ad_1]
The world changed dramatically in a short time – with it, it changed the world of work. The new hybrid world of remote and in-office work has implications for technology, especially cybersecurity, and signals that it is time to acknowledge how intertwined people and technology really are.
Enabling a fast-paced, cloud-powered collaboration culture is critical for fast-growing companies and positions them to innovate, outperform and outperform their competitors. However, achieving this level of digital speed comes with a rapidly growing cybersecurity challenge that is often overlooked or de-prioritized: insider risk, when a team member accidentally (or not) shares data or files outside of trusted parties. Ignoring the intrinsic link between employee productivity and insider risk can affect both an organization’s competitive position and profitability.
You can’t treat your employees the way you treat nation-state hackers.
Insider risk includes any exposure to user-sourced data, such as security, compliance or competition in nature, that jeopardizes the financial, reputational or operational well-being of a company and its employees, customers and partners. Thousands of user-sourced data exposures and leaks occur every day, resulting from accidental user error, employee negligence, or malicious users intended to harm the organization. By making decisions based solely on time and reward, sharing and collaborating with the goal of increasing their productivity, many users risk inadvertent insider information. Other users pose a risk due to negligence, and some have malicious intentions, for example employee stealing company data to bring to a competitor.
In terms of cybersecurity, organizations need to handle insider risks differently than external threats. With threats like hackers, malware, and nation-state threat actors, the intent is clear – it’s malicious. However, the intent of employees to create insider risk is not always clear – even if the impact is the same. Employees may leak data accidentally or through negligence. Fully acknowledging this fact requires a change in mindset for security teams who have historically operated with a bunker mentality—besieged from the outside, keeping their cards close to the vest, thus preventing the enemy from understanding their defenses to use against them. Employees are not enemies of a security team or a company; in fact, they should be seen as allies in the fight against insider risk.
Transparency fosters trust: Building a foundation for education
All companies want to prevent their jewelery from falling into the wrong hands, such as source code, product designs, client lists. Imagine the financial, reputational and operational risk that could arise from material data leaks prior to an IPO, acquisition or earnings call. Employees play a crucial role in preventing data leaks, and there are two key elements to this. turning employees into insider risk allies: transparency and education.
Transparency can conflict with cybersecurity. For cybersecurity teams operating with a hostile mindset suited to external threats, it can be difficult to approach internal threats differently. Transparency is about building trust on both sides. Employees want to feel confident that their organization is using data wisely. Security teams should always start from a place that is trusted, assuming that the majority of employee actions have a positive purpose. But as the saying goes in cybersecurity, it’s important to “trust but verify”.
Monitoring is a critical part of managing insider risk, and organizations must be transparent about it. CCTV cameras are not hidden in public spaces. In fact, it is often accompanied by signs announcing that there is surveillance in the area. Leadership should make it clear to employees that their data movements are monitored, but their privacy is respected. There is a big difference between monitoring data. movement and reading all employee emails.
Transparency builds trust and with this foundation an organization can focus on reducing risk by changing user behavior through education. Currently, safety education and awareness programs are niche. Phishing training is the first thing that comes to mind because of its success in moving the needle and getting employees to think before they click. Other than phishing, there isn’t much training for users to understand exactly what they should and shouldn’t do.
For starters, many employees don’t even know where their organization stands. What apps are they allowed to use? What are the interaction rules for these apps if they want to use it to share files? What data can they use? Do they have rights to this data? The organization doesn’t even care? Cybersecurity teams deal with a lot of noise made by employees doing things they shouldn’t. What if you could cut out that noise just by answering these questions?
Education staff must be both proactive and responsive. Proactively, to change employee behavior, organizations must provide both long- and short-form training modules to teach and remind users of best behavior. Additionally, organizations must respond with a microlearning approach, using small-sized videos designed to address highly specific situations. The security team needs to take a page from marketing by focusing on repetitive messages delivered to the right people at the right time.
Once business leaders understand the risk of insiders Because it is not just a cybersecurity issue, but one that is closely intertwined with an organization’s culture and has a significant business impact, they will be in a better position to innovate, outperform and outperform their competitors. in today hybrid remote and in-office work worldThe human element in technology has never been more important. Therefore, transparency and education are essential to prevent data from leaking outside the organization.
This content is produced by Code42. It was not written by the editorial staff of MIT Technology Review.
[ad_2]
Source link