Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Three tools to reduce employee apathy
1. THREE TOOLS TO REDUCE EMPLOYEE APATHY
There's a gap between information security awareness and action.
Organizations are spending more time and resources on security awareness training than ever before. In late
2016, Gartner analysts predicted that annual security product and services spending would top $81 billion
globally. Despite the fact that companies are putting budget and hours towards training their people, human
behavior might not be improving.
The 2016 Verizon Data Breach Investigations Report (DBIR) found that human behavior was behind the
majority of security incidents with data loss. Twenty-six percent of employee-caused incidents involved
sending sensitive info to the wrong person. The DBIR also indicated 23% of phishing recipients opened a
malicious email, while 12% of phishing targets went on to open malicious attachments or links.
If humans are receiving all the right knowledge to avoid risky behavior but are still causing security incidents,
what needs to change?
Your Employees May Be Too Apathetic Towards Information Security
When knowledge results in changed behavior, that's action. When knowledge isn't transferred into choices,
it's known as apathy. If you've ever wondered whether apathy is localized to your organization, it may help to
know that some data indicate it's pretty widespread. In 2015, a study by SailPoint indicated that 1 in 5
employees globally would sell their work passwords for the right price—and for some employees, the right
price was as little as $150.
Apathetic employees might not actually hand over their login credentials to cybercriminals, but they're a lot
less likely to pull from their information security awareness knowledge when it comes to daily behaviors.
Apathy isn't a simple issue, and it's also not one that IT can tackle by themselves.
.
Human securitybehavior is not improving even though security and services spending is topping $81 Billion worldwide according to
Gartner Research.Why is this ?
Because there is a pretty large cassium between cyber security awareness and taking action.No action leads to employee apathyand
it is wide spread among mostcompanies.There are few technologycompanies like Securable.io thatworks with many companies to
reduce the apathetic cassum substantiallythrough hands on “justin time” behavior training and awareness.
The 2016 Verizon Data Breach Report state human actions are more than 60 percentof information securityissues.Human factors are
the number one cuase ofinformation securityloss. The reportfurther discuss 26% ofemployees sent delicate information to the
incorrectperson;while twenty three percent opened a malware phishing email.
All this information leads to employees being to apathetic.When the pain exceeds the cos t of change then steps to take action occur.
Thus,when education is not transferred correctly and into actionable choices then this is known as apathy. A 2015 sailpoint study
indicates 20% ofemployees would sell their work passwords for as little as $150.
Detachment / Apathy is not an easy issue to resolve; it is also not one that IT can tackle by themselves. The entire organization need to
be enguaged.At the core is to interlace proactive security behaviors into the companyvalue system
Your People Could Be Too boring Toward Info Security When information ends up in modified behaviour,thatis action. When
information isn'ttransferred into selections,it's known as detachment.If you have ever marvelled whether boredom is local to your
organisation,itmay help to understand thatsome info indicate it's pretty established.In 2015, a study by SailPointpointed to the fact
that one in five staff worldwide would sell their work passwords for the rightpriceand for some staff,the mostattractive p rice was as
2. little as $150.Boring workers maynot basicallypass over their login recommendations to cybercriminals,butthey are a load less sure
to pull from their info security awareness information when talking ofdailybehaviours.Join us as we review the way to figh t worker
detachmentatyour organisation with collusion,culture,and the right IT technology.One. Join Together with HR to Address
EngagementIssues "Worker engagement"is a term which has received lots of attention in the enterprize managementspace duri ng
the pastyear. 2016 information from Gallup indicates 32% ofstaff in the U.S. Are engaged in their work, which is understood to be
being "concerned in,excited aboutand committed to their work and office. " The drop in average engagementis so grim,Gallu p
researchers are making reference to it as a "crisis." While a dearth of discontentmentwith the office is not really a battle IT can fight
alone,engagementis an IT issue because disengaged workers can exhibitboring behaviours toward security.
If IT leadership were to work with human resources and other functions to boostengagement,whatwould that look like? Deloitte
research suggests improving engagementwith the following actions :Help staff find meaning through work.Raise inspiring and
galvanizing leaders.
Improve office pliability,variety, and inclusiveness.Build chances for expansion.Develop "vision,purpose,and transparency".Headin g
towards more happy,more profitable staff definitely isn'tsomething ITcan achieve alone.But if engagementis nota concern at the
office and security behaviours are suffering,supporting a company-wide movementtowards engagementcould reduce securityrisks .
Join us as we review how to fight employee apathy at your organization with collaboration, culture, and the
right IT technology.
1. Join Forces with HR to Address Engagement Issues
"Employee engagement" is a term that has received a lot of attention in the business management space in
the past year. 2016 data from Gallup indicates 32% of employees in the U.S. are engaged in their work, which
is defined as being "involved in, enthusiastic about and committed to their work and workplace." The drop in
average engagement is so severe, Gallup analysts are referring to it as a "crisis."
While a lack of dissatisfaction with the workplace is hardly a battle IT can fight alone, engagement is an IT
issue because disengaged employees can exhibit apathetic behaviors towards security.
If IT leadership were to work with human resources and other functions to improve engagement, what would
that look like? Deloitte research recommends improving engagement with the following actions:
Help employees find meaning through work.
Elevate encouraging and inspiring leaders.
Improve workplace flexibility, diversity, and inclusiveness.
Establish opportunities for growth.
Develop "vision, purpose, and transparency".
Moving towards happier, more productive employees certainly is not something IT can accomplish on their
own. However, if engagement isn't a priority at the workplace and security behaviors are suffering, supporting
a company-wide movement toward engagement could reduce security risks.
2. Quickly Identify Disgruntled Employees
3. The vast majority of human error that results in a data breach is caused by apathetic employees who aren't
paying attention or applying their knowledge. However, not all security incidents are a mistake. Disgruntled
employees sometimes cause egregious breaches with intent to behave in criminal ways.
Can apathy lead to disgruntled behavior? With the right mix of cultural and personal elements, it is possible. In
the past few years, unhappy or angry employees have contributed to data loss at organizations like the Korean
Credit Bureau (KCB), Sage, and EnerVest. In the instance of KCB, CNN stated in 2014 an estimated 40% of
Korean citizens were impacted over the course of several years.
To learn more, we recommend 8 Examples of Internal-Caused Data Breaches.
Employees with access to sensitive data, such as members of the IT or leadership team, may present an
elevated risk if they become disgruntled toward their organization. The topic of disgruntled worker risk is
another concept that IT cannot fight alone--it's a company-wide effort that should involve collaboration
between leadership.
However, monitoring logs and identifying unusual behaviors can be an important first step towards mitigating
damage if an employee decides to lash out. Finally, when employees are terminated, IT should work to
remove access immediately, and shut down accounts, to ensure data is not taken off the premises.
3. Use Technology to Support the Right Behaviors
A culture that supports engagement with work and information security is a company-wide mission that
probably can't be accomplished overnight. IT leaders must play an active role in collaborating with HR and
other members of the leadership team in creating a culture that supports happy and secure talent. However,
even at the healthiest organizations, human error, and the occasional disgruntled employee may still be
inevitable.
IT should look towards technologies that can minimize the impact of mistakes or deliberate damage. With the
right technical safeguards, you can protect against mistakes and quickly clean up damages. Technical
safeguards could include:
Policy-based administration for access and identity management
Smart email tools for sandboxing, filtering, and preventing the release of sensitive information
File integrity monitoring to establish accountability
CimTrak Protects
IT can work to educate employees and help resolve cultural issues, but they cannot fix deep-seated issues of
apathy within an organization. Achieving cultural change can be a long process that involves cross-functional
collaboration between tech, HR, and other leadership.
CimTrak is the only FIM solution that allows security administrators to reverse changes in real-time directly
from the management console, allowing you to maintain data integrity.
- See more at: http://blog.cimcor.com/employee-apathy-is-still-one-of-the-top-cyber-security-threats-in-
2017#sthash.3LdKARPO.dpuf