SCOTTSDALE, Ariz.—Experts agree that a strong cyber defense requires a focus on employees as much it does firewalls. However, one analyst is cautioning that if those internal measures are focused more on tools than culture, the organization is making a critical misstep.
In a report in ThirdCertainty, Dan Velez, senior manager of insider threat at Forcepoint, said that most security initiatives aimed internal fraud “begin with piecemeal technical controls, like trying to block and account for things like USB drives or mobile devices with software and policies. However, I argue that zeroing in on technical countermeasures first is looking at the problem upside-down. Instead, companies should first and foremost ask whether their corporate cultures are inviting insiders’ malicious and risky behavior—or functioning to deter it as a first line of defense.”
Velez contends that when an organization’s culture creates opportunities for abuse, motivated employees may be more disposed to mine that organization’s data for a side business, copy records on behalf of a rival, or sell files to cyber criminals.
“The sheer scale of this contributing risk factor becomes clear when you consider that high-pressure sales environments exist in many companies, to varying degrees,” said Velez, noting the Wells Fargo scandal. “This is yet another example of why security and data privacy risks always begin and end with business factors and people, not technology.”
Velez said that employees pressured into abusing data without penalty set an “increasingly toxic precedent.”
“Moreover, managers’ use of private, ‘unofficial’ mediums outside of corporate oversight—like text messages or personal email—to request or facilitate questionable conduct only reminds would-be malicious insiders that they will not arouse suspicion if they, too, use such tools in the workplace,” Velez said.
Velez emphasized that that transparency, ethics and cybersecurity “go hand in hand. As complex as fighting myriad cyber risks can be across companies’ changing IT assets, too few decision-makers recognize the power of healthy leadership and corporate culture as a scalable, enterprise-wide defense.”