User Behaviour to Better Understand Insider Threats

It’s often said that employees are the weakest link in the corporate cybersecurity chain. This would certainly explain why phishing attacks have become the number one threat vector for cyber-attacks.

So how concerned do we need to be about our employees? IT and business leaders need to know where the risks are, so they can take concrete steps to address it. In doing so, they must also remember that no two employees are the same.

There are actually four distinct personas in every organisation. Understanding these will help to inform more effective staff training and awareness, although technology controls are also an essential part of any security strategy.

Fearful employees are anxious about doing something wrong that might expose themselves or their organisation to risk. They are highly accountable for their own behaviour, even if they don’t know precisely what cyber risks are out there and how to manage them. As such, they may deploy risk avoidance strategies such as declining tasks or waiting for advice and guidance from others first.

Conscientious workers are well versed in understanding cybersecurity risks and take heed of advice accordingly. They don’t just avoid risk but proactively take steps to manage it, such as using VPNs for accessing external sites. They are also highly accountable for their own behaviour and mindful of their role in protecting the organisation.

Ignorant users are a key risk for organisations due to their lack of cyber awareness and absence of accountability for their own behaviour. They are careless and take risks such as using public Wi-Fi on work devices, although their limited awareness of risk means they may not understand the significance of these actions.

Daredevil employees display a similar carelessness and lack of diligence as ignorant users, although in their case it is not driven by ignorance but recklessness and perceived superiority. They have no regard or accountability for their own behaviour and instead attribute this externally to others.

Advice for IT leaders

Consider the following steps to help minimise cloud security risks stemming from employee error or negligence:

Fearful employees will benefit from training in how certain behaviours lead to specific risks, and demonstrations of proactive behaviours that can make them more cyber-secure employees. Simulation environments can be useful here, allowing fearful users to try things they wouldn’t normally do. Tools installed onto user machines that test files/URLs and provide real-time feedback are also beneficial for learning, as is actionable threat information. These personas would benefit from a buddy or mentor from the conscientious group, alongside a “blame-free” culture in the organisation.

Conscientious employees are ideal individuals to team up with others as security champions. Good practices should be recognised, rewarded and used as an example for others to follow.

Ignorant users need basic training to begin with, followed by practical advice on how to mitigate risk. Keeping instructions simple is key, perhaps using gamification techniques and simulation exercises can be useful to engage the individual. Additional interventions may be required to help them truly understand the consequences of risky behaviour.

Daredevil users will need to be handled in a similar way to ignorant personas. However, they may be less persuaded by authority and so other tactics are required to change behaviour, such as award schemes for compliance. In extreme cases, managers may need to restrict access to sites and applications and use additional controls like DLP to mitigate risk in the meantime. Read More

iTM covers all aspects of cybersecurity from Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.