Generally, the most serious cyber attacks that’ve happened in the past have their roots outside of an organization. We have read about third party risks in our previous article. Yet, the required network opening is the weak link which allows an outsider to take an advantage of the vulnerability of an organization. Many a times certain bad experiences or intent provoke such weak links . Sometimes, they even work for money. Driven by greed, they are ready to sell the sensitive information or data to outsiders who barge in the organization without a second thought. We all have read about cases where stakeholders like 3rd party contractors, suppliers etc have been a cause for network breached, intentionally or unintentionally.
As per a survey conducted by the Information Security Forum (ISF), most of the network vulnerabilities were unintentional behavior of insiders which arose due to lack of awareness or a laid back attitude. Ironically, many a times, it created an opening as an outcome of a job done by trusted employee. E.g. – Taking back official documents back home to work on, lack of awareness during the recent ransomware attacks etc.
Spiteful insider behaviour backed by a need to harm the company is a glaring sign. E.g. – After being terminated on a bad note, the employee shall disclose the sensitive strategies of the company to a competitor for money.
Sloppy behavior means when an employee is lazy and tries to find out ways to avoid following codes of conduct set by the organization. Such careless attitude endangers security of the company.
According to the ISD report, accidental breaches were more than spiteful breaches.
The Human Component
A company should learn to combat such events by trying to limit the actions which have a potential to cause trouble. Investing in various tools for storage of data backed up by secure access, documented policies and procedures is necessary. It can help the company to prevent attacks and protect data from attackers. Internal controls like segregation of duties(SOD), audits, and documentation should be in place.
One should properly vet the employees for signs and do a proper background check. Also, the company should categorize the job applicants as either good or bad. They should keep a track of people who have been untrustworthy in the past or made poor choices. Moreover, the employees who feel mistreated, disrespected, or abused might have the tendency to hold grudges against the company. It could lead to to retaliation. Thus, the solution is to avoid putting stakeholders in such situations might reduce their trust.
The Trust Component
The company should strive hard to create a culture of trust which will help them in the long run. Whenever it recruits new employees, they have to go through a background screening. Then, there should be a trust-building process via inductions, introductions and feedback. One should train the employees with respect to the policies and procedures which helps them understand their duties towards the organization. With time, trust will always be the most important factor for retaining the employee.
Once, they build that culture , the organization should have common value system in place which encourages ethical behavior. Tools like VComply helps the organization to build such robust system. Having a culture of trust helps in setting standards and reaching benchmarks of information security. It is necessary for sustainable growth and future success.Add to favorites