Exploring the Relationship between Company Culture and Insider Threats


By: Steve Salinas, director of solutions marketing, Exabeam

Security teams are trained to take decisive action when an attacker is detected. Using specialized tools, technologies and processes, their biggest responsibility is to mitigate the impact of a breach.

While this approach is valid and needed to ensure business continuity, there are other initiatives an organization can and should undertake to minimize the chance an attacker even gets the opportunity to carry out their attack. This is especially true when the attacker either takes advantage of a trusted insider, or worse case, the attacker is a trusted insider.

Company Culture and Insider Threats are Related

September is National Insider Threat Awareness Month, a month created by several US government agencies to bring awareness to the dangers of insider threats in both the public and private sector. The theme this year is, “Insider Threat and Cultural Awareness.”

In today’s corporate environments, most organizations are paying closer attention to how their culture, processes and overall working environment respects the cultural diversity that exists across their employee population. The intent, in most cases, is to ensure they create a culture where every employee can express their opinion without fear or judgment from management or other employees.

By and large, organizations have made significant strides in making changes to promote an inclusive culture, however, even the most well-intentioned management team might not see how culture impacts an organization’s security posture.

So, what does culture have to do with insider threats? Great question. Let’s first look into who an insider threat could be and the potential consequences.

Exploring Accidental and Intended Insider Threats

There are several personas that can fit into the profile of an insider threat. Examples include current employees, business partners, suppliers, former employees, contractors and more. There are two general categories of threat: the accidental or the intended.

For accidental insider threats, the situation can come from cases when users are equipped with inappropriate access rights or when an individual performs an action unintentionally by downloading a suspicious application, providing their credentials in response to a phishing email or a similar action.

The hybrid work setting many organizations have implemented in the wake of the pandemic has created vulnerable environments where people are falling victim to well-crafted phishing emails disguised as official communication from corporate and other organizations. Unfortunately, this is the perfect storm for an insider threat to occur.

On the other hand, there is the intended threat, where the formerly trusted employee turns against the company, for either profit or some sort of revenge that causes significant harm. The Center for Development of Security Excellence (CDSE) points out that these insiders are at risk of causing harm to themselves, harm to others or damage to their organizations. These insiders often display concerning behaviors that result from a combination of personal predispositions and/or an inability to cope with life stressors.

Either way, accidental or intentional, once discovered, the security team must scramble all available assets to mitigate this threat.

How Company Culture Impacts Both Accidental and Insider Threats

According to the CDSE, a culturally competent organization has the capacity to introduce and integrate various cultures or subcultures in order to produce better outcomes and enhance operational effectiveness. In the context of insider risk, this can be measured by the successful prevention, detection, deterrence and mitigation of the potential insider threat in all its manifestations.

Now let’s look at how culture can impact both of the threat types, and what steps companies can take to minimize the chance either of these threats ever materializes.

The Accidental Threat

The best way to avoid the accidental threat is to provide employees with training that teaches them how to spot potential attacks. Remember though that there is no one-size-fits-all approach. Flexibility must be built into training plans to allow employees to consume the material in different ways. Consider regularly using blog posts, emails, internal events or other mediums to reach a broader audience in different ways.

Keep the training content fresh, fun and exciting. Be sure to avoid example scenarios that could be deemed inappropriate.

The Intended Threat

Insiders that go rogue are not born; they are made. Whether taking steps on their own or working with an outsider, the rogue insider has become so frustrated with the company that they feel the desire to carry out an attack.

Unfortunately, once the attack occurs and is eventually detected by the security team, the insider may be too far out the door to save that data that was, or will continue to be, compromised.

The key to mitigating damage from intended insider threats is preventing them. Management that is committed to positive cultural values and who let employees know how important they are to the organization are far less likely to experience intended insider threats. Ensuring employee’s needs are met and that they are heard and appreciated, from a cultural perspective, are important ways for management to show this commitment.

For instance, adopting a flexible approach to working hours and locations gives employees the ability to develop an appropriate work/life balance. At Exabeam, for instance, we are committed to a hybrid working model. On a regular basis, managers should also be checking in with employees to ensure their success as part of their teams. If they see any red flags or early indicators of a potential disgruntled employee, they would be wise to escalate it to leadership.

Joining Non-Technology Processes and Security Solutions

It’s so important to marry people and processes with a security technology solution that models behavior, learning normal patterns and automatically detecting when an employee, or an adversary posing as one, strays from usual behavior. The technology must understand that normal behavior might vary dramatically between users and groups of users automatically, minimizing the human intervention required to track any risky behavior.

The bottom line? Although most companies have some sort of insider threat program in place, an estimated 30% of U.S. workers have never received cybersecurity training, according to IBM, indicating that security is an afterthought in company culture.

Establishing a full-end-to-end culture of cybersecurity is essential for preventing, managing and containing evolving risks. Taking small steps to incorporate cultural and security awareness across the organization can make all the difference.


No posts to display