I would offer that, in our ardor to discover yet another algorithm or create yet another complex software suite to counter the malicious insider or, almost as dangerous, the persistent state-sponsored threat, we are missing the best, and ironically the least-expensive method to mitigate these threats.
What is it?
Work to create a culture of an informed, empowered and committed workforce, fully appreciative of the threat and knowledgeable of the signs of concerning behaviors on the part of co-workers, and specifically what to do and who to call in the event they see something suspicious or worrisome.
Coupled with enthusiastic corporate leadership and demonstrated commitment to seeing this simple but essential training and education of the workforce take place - this is the simple elixir that will make the difference.
If there is little or no perceived commitment by the “boss”, or the Director/CEO, then the likelihood for success is almost nil, as the effort will be perceived as just another exercise and ‘block-checker’ directed by management.
Employees with a true sense of ‘ownership’ are the best first line of defense against the myriad of cyber, physical and even clever social engineering threats arrayed against them. After all, they are just protecting their own jobs by protecting the company’s intellectual property, reputation and future financial success.
Unfortunately, the default position of human nature and the prevailing attitude is more in line with what I noted in my first blog-- Tony Robbins pointed out that [only] 29% of employees are “engaged” in their work. Just for fun, the next time you go into a big box store, or even a very high-end boutique store, take a moment to assess the demeanor and attitude of the employee you encounter – try to get a sense of their ‘ownership’ of their department, section, or the store as a whole. If your experience is anything like mine, it won’t be very high.
So what does all this mean?
You and your security team will have an uphill battle trying to establish and maintain this true sense of ownership. It will require work. It will require you and your staff getting out and mixing it up with the workforce. It might even require your team creating rewards and other incentives for them to highlight vulnerable or unworkable, unrealistic systems, policies, or procedures. A sterile, bi-monthly ‘security awareness’ meeting is not going to be enough to change the culture, period.