Weak link or 'conscious link'? This is how you deal with insider risks as an organization
"Who does the employee think is the weakest link?" I regularly ask that question when I give a keynote. Almost always several people raise their hands. Because, the reasoning goes, the employee poses an insider risk (especially in this day and age and especially in organizations that are constantly on the move).
An understandable reasoning. But at the same time, it is also a pity to use this perspective. Because with the right approach, people can sometimes surprise you enormously. And with that you turn the 'weak link' into a conscious link.
Awareness, boundaries and culture: what measures can you take?
First, let's take a closer look at the concept of insider risk. Two types of employees can fall under this:
- The employee who is full of good will, but unknowingly causes a data breach or facilitates a cyber attack.
- The employee who is blackmailed or pressured by a criminal organization to leak or exploit data.
In both cases, you want to take measures to make your employees aware of security risks.
First of all, you do this by creating security awareness : when you train employees and take them through what (different) the world looks like today, they learn to recognize certain security threats.
In addition, it is important to set technological boundaries from within the organization, so that it is not possible for employees to perform certain actions. For example, you can set people to not be able to enter specific documents into ChatGPT. Or that they can't send it to a Gmail account.
Another crucial aspect is the culture you create around security challenges. Suppose an employee has clicked on a phishing link. Or is put under enormous pressure to install a control panel somewhere and is suddenly an unwanted part of a web of cybercriminals. How big is the threshold to approach someone within the organization in such a case? Can the employee tell the story somewhere? If so, how is the employee treated: as a victim who needs help or as the person responsible for the consequences?
The right approach is built with the right Lego blocks
Security awareness no longer means that you give a training once a year to feel safe again for the next 11 months. In a world full of AI tools and smart cybercriminals who lurk on company data day and night, it is necessary to be constantly and constructively involved in it.
You want to include all kinds of aspects. Think of the sector in which you operate, the activities you carry out, the organizational culture and the people who work for you. There are various Lego blocks that you want to select and place in such a way that they form a strong security foundation for your organization.
At Wortell, we start with the employee himself. Who does someone often work with? What information does this person need to do the job well? And at what times is the employee most active online? By understanding these types of work patterns, we create an approach that meets the needs of this persona. We then repeat that process for other types of employees.
For each customer, we ultimately draw up an approach that is fully tailored to the organization and the employees within it. Isn't that very complex? That's not so bad. We have a lot of knowledge in-house and set everything up efficiently. Moreover, we have recently engaged two strong partners in the field of security awareness to implement our vision even better. One of them focuses on sector-specific use cases and the other focuses on the individual.
Together we cover all factors that are important for an effective approach. What does this result in? An employee who is not a weak, but a conscious link!