The ninth practice described in the newly released edition of the Common Sense Guide to Mitigating Insider Threats is Practice 9: Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees. In this post, I discuss the importance of educating employees, managers, and trusted business partners about the role they play in preventing, detecting, and mitigating insider threats, and practices they should follow for protecting organizational critical assets.
The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The ninth of the 20 best practices follows.
Practice 9: Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees.
All stakeholders need to understand the risks to their organization's mission that can result from malicious and non-malicious actions by insiders. Organizational insiders include a broad group encompassing current and former employees, management, and trusted business partners such as contractors, suppliers, and interns.
Multiple levels of training are needed for the various types of employees and trusted business partners associated with an organization. Only through education at all levels can the organization successfully prevent and mitigate malicious and unintentional insider threats. The multiple levels of training can include
General insider threat awareness training. This training, designed for all employees and trusted business partners, covers what insider threats are, how staff might be targeted, what the indicators of malicious insider actions are, how to report suspicious behaviors, and why addressing insider threats is important to the health and security of the organization and its employees.
General security policy training. This training makes employees and trusted business partners aware of the organization's acceptable use policies, intellectual property policies, and data protection requirements and guidance.
General security best practice training. This training helps employees and trusted business partners prevent damage caused by unintentionally putting organizational assets at risk, whether by clicking on unsafe links, downloading untrusted files, or accidentally sharing sensitive or proprietary data.
Focused training for employees with special privileges or roles. This training outlines the responsibilities these employees have to protect the data they have access to and to report abuses of those special privileges.
Specialized training for employees who access classified information. This training ensures these employees know the proper methods for protecting data and reporting any sharing abuses.
Specialized training for managers and supervisors. This training teaches managers and supervisors how to recognize stressed or at-risk employees as well as methods for getting these employees the appropriate assistance.
Employees should also receive training about the consequences of not following acceptable use and other related security policies. Contractors and subcontractors should receive the same training as organizational employees in similar roles.
Recommended training and awareness strategies include but are not limited to the following:
Develop and implement an enterprise-wide security training program that discusses the various topics mentioned above.
Train all new employees and contractors in security awareness, including insider threats, before giving them access to any computer system.
Include training for employees who may not need to access computer systems daily, such as janitorial and maintenance staff. Such training can cover security scenarios they may encounter, such as social engineering, active-shooter situations, and sensitive documents left out in the open.
Provide security and insider threat prevention training continuously, especially as it relates to unintentional insider threat actions. Some organizations have seen success using exercises like phishing campaigns to test employee reactions in a safe environment. Exercises performed on a continuous basis can often change behaviors on a long-term basis.
Implement a mechanism to track the security training taken, to ensure that all employees and trusted business partners complete all training requirements.
Look beyond classroom instruction for providing training. Posters, newsletters, alert emails, and brown-bag lunch programs can be effective training methods.
Encourage employees to report security issues. Train them on how, what, and why to report.
Consider offering incentives that reward those who follow good security practices.
Without broad understanding and buy-in from members of the organization, technical or managerial controls will have short-lived success. Periodic security training that includes malicious and unintentional insider threat awareness supports a stable culture of security in the organization.
The transition from on-premises information systems to cloud services represents a significant, and sometimes uncomfortable, new way of working for organizations. Establishing meaningful Service Level Agreements (SLAs) and monitoring the security performance of cloud service providers are two significant challenges. This post proposes that a process- and data-driven approach would alleviate these concerns and produce high-quality SLAs that reduce risk and increase transparency.