Talking insider threats at the CSO40 Security Confab and Awards

These days, the threat landscape for most companies is massive. But while there is a litany of outside threats that their security teams need to worry about, there is often an even greater danger much closer to home. Insider threats are an issue that no company is safe from, with breaches not just occurring at the hands of a disgruntled or malicious employee, but also unintentionally as a result of ignorance.

At this year’s CSO40 Security Confab and Awards, Arthur Wang, ReSource Pro’s information security and helpdesk supervisor, took to the stage to talk about mitigating those threats by spreading awareness and encouraging best practices for security and privacy. While many of the challenges his security team faced – being seen as an enforcer and not a partner, compliance issues, a limited budget, poor awareness of security policies, adaptation to new risks, etc. – would undoubtedly sound familiar to some, it’s how Wang chooses to address those issues that’s unique.

“Security is more than just policies and procedures,” said Wang. “We must also consider the human element.”

Considering the human element is where security teams tend to differ in their approaches. For some, the human element doesn’t even come into play, and security amounts to little more than checking off the boxes to meet compliance requirements. Others, like KnowBe4, prefer to take the harsher approach and punish employees who make mistakes that may compromise company security in an effort to discourage negligence. Wang and ReSource Pro, however, take a more supportive, positive approach to spreading awareness.

One initiative, for example, was introducing a “Most Secure Process Department Award” to recognize achievements and contributions to improve employee awareness. The company even went as far as providing a monetary reward to the winning department.

Whether or not the approach of support over punishment works for all companies and employees remains to be seen, but the success of Wang’s encouraging approach could at least be backed by stats. After running for a year and a half an issuing the award to eight processing departments, ReSource Pro found that 93 percent of its 1600+ employees had participated and 154 award submissions were received.

“The award created unprecedented employee engagement,” said Wang.

And aside from increased employee engagement, there was – more importantly – a measurable positive impact on the company’s security. “There was a reduction in security compliance issues,” said Wang, who pointed to a subsequent downward trend over the years in the company’s internal policy compliance issues. While there were six in 2011, there were only four in 2012, and then a mere there in 2013.

“With this approach, there was an impact on risk mitigation rather than technology prevention,” he said.

The positive encouragement in an attempt to spread security awareness was not just limited to the award, however. Wang also mentioned a number of other methods he adopted to help mitigate insider risks, ranging from the simple to the unorthodox.

Wang admitted that even as the person who was responsible for creating ReSource Pro’s security policies, he couldn’t remember every last one of them; it simply isn’t feasible without reminders. So one of his more basic approaches to increasing awareness involves educating employees of security and privacy policies by having them pin up colorful, engaging lists in their cubicles. Similarly, the company circulates simple comics constructed from internet memes to remind employees of the proper course of action in certain scenarios, like repeatedly entering a password incorrectly.

But some of the approaches were even a little more creative, like a crossword puzzle for which all of the answers referenced security policies. Employees can even be reminded by an audio prompt – humorously similar in nature to a pre-recorded aircraft safety video – how to properly close up shop at the end of a work day without creating any risk of a security breach (leaving computers on or logged in with sensitive data open, leaving physical documents or written passwords out on one’s desk, etc.).

By using these kinds of methods, said Wang, “I believe security policies will not be that hard to remember.”