Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/27/2021
01:00 PM
Chrysa Freeman
Chrysa Freeman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Let's Stop Blaming Employees for Our Data Breaches

Assuming employees want to steal trade secrets pits them against your security teams, creates stress and reduces productivity.

When data moves off a trusted network, it may be a default response to assume malicious intent is involved. We see news headlines about employees stealing data, and as a result we're conditioning ourselves to leap to the conclusion that data leaks are typically malicious. In some cases, it could turn out to be intentional theft, but when it comes to data spilling off the network by our trusted employees, we should take time to dig a little deeper to learn more — especially because cases of data exfiltration are very often due to employee error or negligence.  

The vast majority of your employees are well-meaning, hard-working people who never intend to create a cybersecurity problem. In fact, in 2020, 17% of all data breaches were caused by human error, double the amount that occurred in 2019.

Related Content:

5 Steps Every Company Should Take to Avoid Data Theft Risk

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Faster COVID-19 Research Is Being Made Possible by Secure Silicon

Maybe a new employee adds their personal iCloud drive to their work device to make their personal information more readily available, not realizing there is a default setting in place that ends up automatically uploading company data to their iCloud account. Or a team member working remotely during the pandemic might access a file from their personal laptop when their work computer isn't loading. Either way, the employee didn't intend to cause a problem. For security teams to conclude the employee intended harm isn't going to prevent future data loss.

In fact, assuming employees want to steal your intellectual property or trade secrets pits your security teams and employees against one another and could contribute toward unnecessary security-related stress. We need a better approach, one that begins with presuming your employees are just trying to get their work done and that their actions come from a place of positive intent.

Building a positive intent security culture begins on an employee's first day at work. Bake security into your onboarding process, even if you only discuss it for five minutes. Use that time to set the tone that your security team isn't out to get them and that you need employees' help to protect company assets. You should also lay the groundwork for how employees can best work with the security team: Where do they go if they need assistance, have questions, or need to report any issues or concerns?

It's also essential to provide regular, effective cybersecurity training that positions your employees as security heroes rather than adversaries. Instead of just focusing on malicious data theft, educate your team on common ways data is unintentionally leaked to raise awareness and prevent it from happening in the future.

As with any training, you also want to make sure that it sticks. How do you do that? Make the training itself engaging. Change up the format and make it interactive when possible. Pitch your phishing exercises as security challenges where they can work to increase their score of not clicking and reporting the test emails — and be transparent about why you offer phishing training. We typically give new employees a heads-up that we'll be conducting phishing tests, not as a trick but to help them learn to recognize and report suspicious emails. We can't expect them to be great at something they never get a chance to practice.

Transparency goes a long way in both directions. At Code42, we also ask our employees to alert us when they have a business or personal reason to move or share a file. For example, a departing employee recently notified our security team that they were planning on transferring some personal photos they had saved on their work drive to a personal drive. This proactive behavior is helpful because it could shorten investigation times and allows our security team to suggest more secure transfer methods, such as an encrypted drive. 

There's still the chance you might encounter an employee maliciously exfiltrating data. It is still best to approach every data leak with the assumption that the person behind it had positive intentions since that is often the case. When reaching out to an employee about a security misstep or error, the language and wording you use can go a long way toward showing you are there to help and making the employee feel comfortable and willing to work with your team. 

For example, if you notice a suspicious file transfer, you can send the employee a note along the lines of "We noticed a file transfer to a personal email account. Can you confirm if you're aware of this?" — instead of "We received notice that you transferred a file to a personal email account, so we are locking down your computer." Or if someone has not completed a required security training, you can say: "Our records show your security training is overdue, can you confirm?" More often than not, this will lead to a response from the employee asking where to find the training, indicating it's an education/communication issue instead of negligence. 

Security problems can cause a lot of stress, both for employees and security teams. We need to rewrite and strengthen the security narrative to emphasize that most employees are well meaning. Doing so will show employees your team views them as trusted security partners and will allow the business to be more efficient and proactive about their security approach.

Chrysa has been in corporate security for 13 years. She's built security awareness programs from the ground up in various industries including retail, technology, and healthcare. Chrysa is currently Manager of Security Awareness at Code42. She is passionate about presuming ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
matt.lindley
50%
50%
matt.lindley,
User Rank: Apprentice
5/28/2021 | 11:55:07 AM
Using Positive Reinforcement to Enhance Proactive Cybersecurity Engagement
Great article and spot on with respect to increasing engagement.

We find that one of the best ways to increase overall employee engagement in the organization's security program, is to find ways to promote proactive behavior through gamification, management involvement, and meaningful KPIs KRIs built around the reaction/interaction to threats and potential threats. For example, when it comes to simulated phishing - instead of looking at click through rates as the key metric, organizations can focus on the proactive reporting of threats and the "see something, do something mentality" in order to create a more positive experience overall, thus improving employee willingness to engage in good habits, behavior and ultimately, changing one's identity with a more proactive inherent scrutiny in how they process and respond to information. Organizations who traditionally kneejerk enroll employees immediately after failing a phishing test tend to promote an adversarial relationship between IT and the work force. Although click through rates can provide some meaning information about areas of risk, incentives around the promotion of proactive behavior and employees becoming proactive cybersecurity citizens is one of the best ways to enhance engagement across a security awareness program and empower employees and teams to identify and stop threats.
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21742
PUBLISHED: 2021-09-25
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.
CVE-2020-20508
PUBLISHED: 2021-09-24
Shopkit v2.7 contains a reflective cross-site scripting (XSS) vulnerability in the /account/register component, which allows attackers to hijack user credentials via a crafted payload in the E-Mail text field.
CVE-2020-20514
PUBLISHED: 2021-09-24
A Cross-Site Request Forgery (CSRF) in Maccms v10 via admin.php/admin/admin/del/ids/<id>.html allows authenticated attackers to delete all users.
CVE-2016-6555
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in ver...
CVE-2016-6556
PUBLISHED: 2021-09-24
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This iss...