A survey by Willis Towers Watson, the multinational insurance brokerage and risk consultancy, should prove uncomfortable reading for information security officers. Whilst most of us would typically prefer to imagine that threats to our business originate from external sources, the survey makes it clear that employees are the greatest cause of cybersecurity breaches. Willis Towers Watson analyzed cyber insurance claims made by US organizations and found that 66 percent were caused by employee malfeasance or negligence. In contrast, external threats were blamed for just 18 percent of insurance claims.
The authors observe that businesses are taking action to address the weaknesses within their workforce.
Among the specific people-related actions that companies expect to take in the next couple of years, training programs for both employees and contract workers frequently top the agenda. This is particularly the case in the UK, where the survey figures indicate there is some catching up to do relative to the U.S. on the people-related risks. For example, UK employers believe that over 60% of their employees don’t understand cyber risks to a great or moderate extent. This compares with 34% of U.S. employers who feel the same. These figures allude to the fact that organizations, even across the Atlantic, are at different stages of their cyber resiliency journeys. The difference in results also highlights the need for HR and risk management functions to work more closely together on cyber risk mitigation strategies, something that only a third of companies reported they are currently doing.
I think this is a step in the right direction, but the benefits of training can also be exaggerated. There is a saying that you can lead a horse to water, but you cannot make it drink. Sometimes the proponents of training suggest that if you tell people what to do, they will do it. That is naive. Some will continue to do the wrong thing, no matter how often you tell them to do otherwise. Having a corporate security policy, and communicating that policy, is irrelevant if it is not effectively enforced. But is the business willing to punish an otherwise successful manager or salesperson because they cut a corner? Employees are typically motivated to meet their targets, and they will take short cuts if security objectives get in their way. And when it becomes normal to see the security policy as an obstacle to be overcome, it also becomes difficult to tell the difference between an employee who is genuinely trying to help the company to succeed, and one that is breaking the rules in order to steal.
One reason to conduct training is so employees cannot plead ignorance when caught doing the wrong thing. That is a valid reason to give training, but preventing security breaches is better than having a strong legal argument for holding an employee accountable after a breach has occurred. When thinking of external threats, we would not attempt to educate the rest of the world in order to reduce our risks. On the contrary, we assume that there are bad actors outside of our business, and they will identify security weaknesses in order to get ‘inside’. The results from Willis Towers Watson suggest we should be more skeptical about the motives of employees too; even if they claim to have made an honest mistake, that may not be the truth. Given that so much is spent on securing data and systems from external attack, it is time to ask if more should be spent on securing them from bad actors within the business, at least through better logging and monitoring of how employees behave.
There has been no shortage of scandals involving fraud by senior managers within businesses. This gives us a reason to invest in internally-facing security, and is also a reason why this expenditure will face resistance. But given the increasing sophistication of technology, which is getting better at spotting anomalous patterns of behavior, and given the increasing amounts of data that all companies collect, and the associated responsibilities that come with the data, I can see no good reason not to invest in internal monitoring alongside the training of staff. Do not just tell people to do the right thing; find ways to check what they are doing. Often this is the job of the supervising manager, but so much of work is being automated that it is worth asking why we do not seek to automate supervision too.
There are now telecoms RA teams that are using AI to read contracts, looking for risky clauses. There are intelligent security programs that try to identify criminals by how they travel around a town. When it comes to cybersecurity, we can safely assume that users are interacting with systems, so we should have data about users that is more susceptible to automated analysis than reading a paper contract or following a person’s physical movements. Telcos invest a lot of money and time into systems that seek to identify fraudsters amongst the customer base. I see no reason not to apply similar techniques to employees as well. The easiest examples relate to the decisions made by staff in call centers and stores, but the same principles can be applied to other jobs too. Whilst the technology may not be perfected yet, the real challenge is having the will to implement security solutions like these. It would take a brave manager to argue that his or her fellow managers should be monitored by machines. But given the costs of cybersecurity failures, and the amounts the insurance companies are now spending on dealing with them, the financial argument for internal monitoring will keep getting stronger.
You can learn more about the Willis Towers Watson cybersecurity survey from here.