An ethical business culture should be first line of defense against cyber risk

Healthy leadership, accountability can deter potentially dangerous insider behavior

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Anony­mous theft and abuse of busi­ness data is a grow­ing risk for more organizations.

Most secu­ri­ty ini­tia­tives aimed at this prob­lem begin with piece­meal tech­ni­cal con­trols, like try­ing to block and account for things like USB dri­ves or mobile devices with soft­ware and policies.

Ed note_Forcepoint_Dan VelezHow­ev­er, I argue that zero­ing in on tech­ni­cal coun­ter­mea­sures first is look­ing at the prob­lem upside-down. Instead, com­pa­nies should first and fore­most ask whether their cor­po­rate cul­tures are invit­ing insid­ers’ mali­cious and risky behavior—or func­tion­ing to deter it as a first line of defense.

Relat­ed: JP Mor­gan per­son­al bankers steal from patrons

The ongo­ing Wells Far­go con­tro­ver­sy is a per­fect case in point.

Media accounts claim Wells Far­go man­agers pres­sured employ­ees to meet aggres­sive growth quo­tas by sign­ing up account hold­ers for new accounts and finan­cial ser­vices they nev­er requested—reportedly net­ting the bank sig­nif­i­cant income in new fees and ser­vice charges. In effect, work­place cul­tures like this cre­ate a slip­pery slope fos­ter­ing a wider range of “fall­out” insid­er threat behaviors.

When an organization’s cul­ture cre­ates oppor­tu­ni­ties for abuse, moti­vat­ed employ­ees may be more dis­posed to mine that organization’s data for a side busi­ness, copy records on behalf of a rival, or sell files to cyber criminals.

The sheer scale of this con­tribut­ing risk fac­tor becomes clear when you con­sid­er that high-pres­sure sales envi­ron­ments exist in many com­pa­nies, to vary­ing degrees. This is yet anoth­er exam­ple of why secu­ri­ty and data pri­va­cy risks always begin and end with busi­ness fac­tors and peo­ple, not technology.

Employ­ees pres­sured into abus­ing data with­out penal­ty set an increas­ing­ly tox­ic prece­dent. More­over, man­agers’ use of pri­vate, “unof­fi­cial” medi­ums out­side of cor­po­rate oversight—like text mes­sages or per­son­al email—to request or facil­i­tate ques­tion­able con­duct only reminds would-be mali­cious insid­ers that they will not arouse sus­pi­cion if they, too, use such tools in the work­place. How preva­lent is this con­duct? The answer mat­ters because these behav­iors are risk vari­ables as impor­tant as patch lev­els and app permissions.

Recent bank inves­ti­ga­tions are a reminder for CEOs and CISOs alike that trans­paren­cy, ethics and cyber­se­cu­ri­ty go hand in hand. As com­plex as fight­ing myr­i­ad cyber risks can be across com­pa­nies’ chang­ing IT assets, too few deci­sion-mak­ers rec­og­nize the pow­er of healthy lead­er­ship and cor­po­rate cul­ture as a scal­able, enter­prisewide defense.

Soul-search­ing in the wake of today’s head­lines should include seri­ous thoughts about mak­ing an eth­i­cal, high­ly vis­i­ble busi­ness cul­ture the first line of deter­rence against ubiq­ui­tous insid­er risks. Account­abil­i­ty and lead­er­ship should play a larg­er role in safe­guard­ing data and keep­ing busi­ness part­ners in line long before fac­tor­ing in USB dri­ves and mobile devices.

More sto­ries relat­ed to insid­er threats:
Sophis­ti­cat­ed email mon­i­tor­ing can help com­pa­nies detect insid­er threats
Inat­ten­tive employ­ees pose major insid­er threat
Insid­er threats pose major cyber­se­cu­ri­ty exposure