User privacy is a growing concern, but one that seemingly sits second in importance to an organisation’s overall cybersecurity priorities. For some, it can feel necessary to embrace one over the other. Indeed, as data leaks, misuse and breaches continue to wreak havoc for both companies and the customers that they serve, a ‘zero trust’ approach to data security has come to the forefront. Yet, when it comes to insider threats, taking a distrustful stance can be counterproductive, dampening productivity and damaging morale. But trust is a two-way street.
While employees are fundamental to every business, they can also be a prime channel for information loss via negligent or malicious actions. Knowing this, an organisation’s IT staff must take the right steps to enable different modes and means of working that suit both employees and the business, but without putting valuable data and systems at heightened risk.
New findings from a global survey into how trust shapes company culture and cybersecurity, reveal that there’s a lot that IT leaders, in particular, must improve on to adjust to this brave new world, where BYOD, remote work and the gig economy is the ‘new normal.’
Indeed, the study of 600 technology and security decision-makers globally shows that 67 per cent permit remote work, while at the same time a sizeable 42 per cent report that contractors and/or freelancers use personal devices for work activity. It’s clear from these insights alone that most organisations want – and expect – to trust their personnel when it comes to cybersecurity, whether full-time, freelancers or contractors, and certainly, personnel want to be trusted too.
However, despite the inherent security risks of remote work and the use of personal devices, the data shows that many IT leaders are hindering their own best security efforts from the inside out, with notable gaps in employee training, the management of protocols and implementation of security processes. Take for example how 43 per cent of organisations admit that they don’t even have a policy that prohibits staff from taking IP/data with them when leaving employment, while almost 60 per cent of IT heads don’t explain the contractual penalties of an insider-led data breach -- whether due to making a mistake or because of bad intentions -- to their employees. This leaves many employees in the dark as to their role in keeping their organisation safe -- and the repercussions if they fail to do so.
Taking the lead
It must also be remembered that there are many ways that trust can be misguided or misplaced. For example, last year, research found that travelling employees valued connectivity more than security – with 77 per cent connecting to open WiFi connections while on the move and 63 per cent accessing work emails and files via these open connections. While using hotel WiFi may seem like a harmless convenience, and USBs are an easy way to transfer information, these unsecured and unmonitored connections expose businesses to potential data breaches. Without the proper training or suitable alternatives, it’s no surprise that employees are prioritising ease and speed over cybersecurity.
In an ever-evolving work environment, with 5G on the near horizon and more and more devices being used to access company information, there’s no getting away from the fact that companies need to take the lead and establish clear protocols for all users handling data and IP regardless of location, device or employment classification. This information must also be communicated to staff in a clear and timely fashion.
Embedding trust verification technologies into existing workflows in a mindful way can also play a crucial role in enhancing trust between employers and employees. Technologies that monitor and track user and data activity can be deployed without overriding or devaluing an individual insider’s privacy. It’s worth noting that, in today's complex operating environment, 92 per cent of organisations accept that investment in new technologies that verify trust, no matter where the insider is, are needed to protect proprietary systems, files, and data. At the same time, 89.5 per cent of the UK IT leaders surveyed recognise that a happy workforce is more likely to keep an organisation secure than an unhappy one. This insight highlights why it is important to connect the dots between cybersecurity policies and employee buy-in.
In today’s world, locking down data access and application usage might seem like the only way to make a business more cyber-resilient from the inside out. But, this forgets that while employees are, indeed, a prime channel for information loss, they are also an important line of defence.
Businesses have an opportunity to educate their trusted insiders to be vigilant about their activity on corporate networks, while they can also do a lot to make sure that security processes and policies are fair, relatable and transparent. Ultimately, by recognising the value of trust and bringing together the right people, right progresses and right technology, business leaders will find themselves empowered to both safeguard valuable assets and mitigate insider threats in a holistic and proactive way.
Chris Bush is Head of Security at ObserveIT
Image Credit: B-lay