These days, the threat landscape for most companies is massive. But while there is a litany of outside threats that their security teams need to worry about, there is often an even greater danger much closer to home. Insider threats are an issue that no company is safe from, with breaches not just occurring at the hands of a disgruntled or malicious employee, but also unintentionally as a result of ignorance.At this year’s CSO40 Security Confab and Awards, Arthur Wang, ReSource Pro’s information security and helpdesk supervisor, took to the stage to talk about mitigating those threats by spreading awareness and encouraging best practices for security and privacy. While many of the challenges his security team faced – being seen as an enforcer and not a partner, compliance issues, a limited budget, poor awareness of security policies, adaptation to new risks, etc. – would undoubtedly sound familiar to some, it’s how Wang chooses to address those issues that’s unique.“Security is more than just policies and procedures,” said Wang. “We must also consider the human element.”Considering the human element is where security teams tend to differ in their approaches. For some, the human element doesn’t even come into play, and security amounts to little more than checking off the boxes to meet compliance requirements. Others, like KnowBe4, prefer to take the harsher approach and punish employees who make mistakes that may compromise company security in an effort to discourage negligence. Wang and ReSource Pro, however, take a more supportive, positive approach to spreading awareness. One initiative, for example, was introducing a “Most Secure Process Department Award” to recognize achievements and contributions to improve employee awareness. The company even went as far as providing a monetary reward to the winning department.Whether or not the approach of support over punishment works for all companies and employees remains to be seen, but the success of Wang’s encouraging approach could at least be backed by stats. After running for a year and a half an issuing the award to eight processing departments, ReSource Pro found that 93 percent of its 1600+ employees had participated and 154 award submissions were received. “The award created unprecedented employee engagement,” said Wang.And aside from increased employee engagement, there was – more importantly – a measurable positive impact on the company’s security. “There was a reduction in security compliance issues,” said Wang, who pointed to a subsequent downward trend over the years in the company’s internal policy compliance issues. While there were six in 2011, there were only four in 2012, and then a mere there in 2013.“With this approach, there was an impact on risk mitigation rather than technology prevention,” he said.The positive encouragement in an attempt to spread security awareness was not just limited to the award, however. Wang also mentioned a number of other methods he adopted to help mitigate insider risks, ranging from the simple to the unorthodox.Wang admitted that even as the person who was responsible for creating ReSource Pro’s security policies, he couldn’t remember every last one of them; it simply isn’t feasible without reminders. So one of his more basic approaches to increasing awareness involves educating employees of security and privacy policies by having them pin up colorful, engaging lists in their cubicles. Similarly, the company circulates simple comics constructed from internet memes to remind employees of the proper course of action in certain scenarios, like repeatedly entering a password incorrectly.But some of the approaches were even a little more creative, like a crossword puzzle for which all of the answers referenced security policies. Employees can even be reminded by an audio prompt – humorously similar in nature to a pre-recorded aircraft safety video – how to properly close up shop at the end of a work day without creating any risk of a security breach (leaving computers on or logged in with sensitive data open, leaving physical documents or written passwords out on one’s desk, etc.). By using these kinds of methods, said Wang, “I believe security policies will not be that hard to remember.” Related content feature Key findings from the CISA 2022 Top Routinely Exploited Vulnerabilities report CISA’s recommendations for vendors, developers, and end-users promote a more secure software ecosystem. By Chris Hughes Sep 21, 2023 8 mins Zero Trust Threat and Vulnerability Management Security Practices news Insider risks are getting increasingly costly The cost of cybersecurity threats caused by organization insiders rose over the course of 2023, according to a new report from the Ponemon Institute and DTEX Systems. By Jon Gold Sep 20, 2023 3 mins Budget Data and Information Security news US cyber insurance claims spike amid ransomware, funds transfer fraud, BEC attacks Cyber insurance claims frequency increased by 12% in the first half of 2023 while claims severity increased by 42% with an average loss amount of more than $115,000. By Michael Hill Sep 20, 2023 3 mins Insurance Industry Risk Management news Intel Trust Authority attestation services now in general availability Formerly known as Project Amber, Intel’s attestation services support confidential computing deployments. By Michael Nadeau Sep 20, 2023 3 mins Zero Trust Security Hardware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe