Although security leaders may be effective at reducing the impact of cyberattacks within their own four walls, board directors should be aware that malicious insiders are still one of the top two threats, according to our research. It is a fact that serves as a timely reminder for all organizations—protect yourselves from the inside out.
According to the Accenture Ninth Annual Cost of Cybercrime Study, organizations have experienced sizable increases in phishing and social engineering attacks, up 16 percent; ransomware, up 15 percent; and stolen devices, up 13 percent in just one year. These are all areas of concern that give credibility to the argument that humans are still the weakest link when it comes to an organization’s cybersecurity defenses. And with 71 percent being vulnerable to hacking groups using spear phishing, a 55 percent spam rate, and 669 million new malware threats in the last couple of years, a momentary lapse of concentration can prove highly damaging. The prospect of 200 billion connected things by the year 2020 means this vulnerability is only going to get worse for your company and its employees.
Today, the security function is largely
centralized and its staff are often excluded when new products, services, and
processes—all of which involve some sort of cyber risk—are being developed.
This siloed approach can result in a lack of accountability across the
organization and a misplaced perception that security isn’t everyone’s
responsibility—only 16 percent of CISOs in our survey said employees are
responsible for cybersecurity today.
At a granular level, even where
organizations regularly pressure test their resilience, people can invalidate
red and blue team exercises. They may have difficulty behaving like a real
adversary, or they develop “blue team fatigue” following a constant stream of
demoralizing attacks. Worse still, they may develop unhealthy divisions and
fail to communicate effectively before, during, and after an exercise.
As a result, the board should assume the
task of holding the c-suite accountable for putting people first as a security
priority throughout the organization.
To tackle insider threats and foster a
culture of accountability, boards should ensure that CEOs rally human
resources, talent development, legal, and information technology teams to work
closely with the security office and business units. Here are five ways
directors can suggest that their organizations take on this risk from within:
- Train and reinforce safe behaviors. New
work arrangements—greater use of contractors and remote work—make the need for
employee training more urgent. Yet, training employees to think and act with
security in mind is the most underfunded activity in cybersecurity budgets. Immersive
communications and gamified learning can create sustained behavior change that
could drive greater security.
- Build cybersecurity champions.
Cybersecurity champions can not only act as advocates for security across the
organization, they can also provide feedback to the central team on the
effectiveness of security programs. As with many other facets of culture, the
board can lead the way by becoming cybersecurity champions.
- Reward “security-first” behaviors. In
our survey, only 41 percent of companies indicated that they offer incentives
for business leaders who are committed to cybersecurity. Rewards are one tool
that boards can use to stimulate the desired cybersecurity hygiene behaviors
throughout the organization.
- Maintain strong defenses. As well
as standard data protection techniques such as encryption and rights management,
user and entity behavior analytics (UEBA) systems can flag suspicious employee
activity, such as unusual file transfers that could indicate criminal intent.
Ask about whether or not the security team has these practices in place.
- Help people be prepared. Suggest that
the security team become ready by running and testing for end-to-end
effectiveness. Their practice should be monitoring activity continuously and
vigilantly, using sophisticated techniques such as micro-segmentation for
access control—keep the sensitive safe to achieve damage limitation in the
event of a breach.
People are often unaware of cybersecurity threats, think they’re already protected by existing procedures, or underestimate the repercussions of a security breach. And while there is no single behavior that keeps people secure online, the vulnerabilities posed by humans can be effectively addressed.
Accenture has developed a Human
Vulnerability Assessment—a diagnostic tool based on a data-centric approach. It
identifies the highest priority areas to help people stay safe, the immediate
actions and interventions needed to improve their weaknesses, and offers
benchmarks to make comparisons across industries or geographies.
If you expect to fully protect your
high-value assets, keep “the people dimension” in mind. When security behaviors are better monitored
and managed, people can be part of the solution, not the problem.
Bob Kress is a managing director at Accenture Security where he is the co-chief operating officer and the global lead for quality and risk.