An ethical business culture should be first line of defense against cyber risk
Healthy leadership, accountability can deter potentially dangerous insider behavior
By Dan Velez, Special to ThirdCertainty
Anonymous theft and abuse of business data is a growing risk for more organizations.
Most security initiatives aimed at this problem begin with piecemeal technical controls, like trying to block and account for things like USB drives or mobile devices with software and policies.
However, I argue that zeroing in on technical countermeasures first is looking at the problem upside-down. Instead, companies should first and foremost ask whether their corporate cultures are inviting insiders’ malicious and risky behavior—or functioning to deter it as a first line of defense.
The ongoing Wells Fargo controversy is a perfect case in point.
Media accounts claim Wells Fargo managers pressured employees to meet aggressive growth quotas by signing up account holders for new accounts and financial services they never requested—reportedly netting the bank significant income in new fees and service charges. In effect, workplace cultures like this create a slippery slope fostering a wider range of “fallout” insider threat behaviors.
When an organization’s culture creates opportunities for abuse, motivated employees may be more disposed to mine that organization’s data for a side business, copy records on behalf of a rival, or sell files to cyber criminals.
The sheer scale of this contributing risk factor becomes clear when you consider that high-pressure sales environments exist in many companies, to varying degrees. This is yet another example of why security and data privacy risks always begin and end with business factors and people, not technology.
Employees pressured into abusing data without penalty set an increasingly toxic precedent. Moreover, managers’ use of private, “unofficial” mediums outside of corporate oversight—like text messages or personal email—to request or facilitate questionable conduct only reminds would-be malicious insiders that they will not arouse suspicion if they, too, use such tools in the workplace. How prevalent is this conduct? The answer matters because these behaviors are risk variables as important as patch levels and app permissions.
Recent bank investigations are a reminder for CEOs and CISOs alike that transparency, ethics and cybersecurity go hand in hand. As complex as fighting myriad cyber risks can be across companies’ changing IT assets, too few decision-makers recognize the power of healthy leadership and corporate culture as a scalable, enterprisewide defense.
Soul-searching in the wake of today’s headlines should include serious thoughts about making an ethical, highly visible business culture the first line of deterrence against ubiquitous insider risks. Accountability and leadership should play a larger role in safeguarding data and keeping business partners in line long before factoring in USB drives and mobile devices.
More stories related to insider threats:
Sophisticated email monitoring can help companies detect insider threats
Inattentive employees pose major insider threat
Insider threats pose major cybersecurity exposure