Insider Threats Don't Mean Insiders Are Threatening
By implementing tools that enable internal users to do their jobs efficiently and securely, companies reduce insider threat risk by building insider trust.
Cloud technologies enable people to collaborate, enhancing distributed workforce models with automation. Organizations continue to invest in these technologies so that they can reduce overhead and optimize revenue. According to Flexera's 2022 "Tech Spend Pulse" report, 74% of respondents said digital transformation was one of their top five priorities last year, and 69% said they slightly or significantly increased their spending on software-as-a-service (SaaS) technologies. However, everything comes with a cost.
The asynchronous collaboration that enables business operations generates new security risks. Historically, insider threats focused on malicious or disgruntled employees seeking to steal information, often for financial gain. Today, insider threats more often mean that people made honest mistakes.
Organizations owe a duty to themselves, their customers, and their workforces to implement technologies that help insiders from becoming a threat.
The Majority of Insider Threats Are Not Threatening Insiders
When most people hear the term "insider threat," they think of corporate espionage, insider trading, or embezzlement. The phrase connotes theft and stealth that may make workforce members feel their company no longer trusts them.
However, according to one report, while insider threats nearly doubled between 2020 and early 2022, 56% of incidents arose from carelessness or negligence, while only 26% related to a criminal insider.
Building Customer Digital Trust
When companies focus on security and privacy, they center the conversations on building customer trust. Whether in a business-to-business or business-to-consumer organization, customers make buying decisions based on an organization's data protection capabilities.
In the B2B space, customer due diligence and contracts validate security by requiring third-party audits and responses to questionnaires. Companies recognize that to sell their products or services, they must implement and maintain security and privacy controls.
At the B2C level, organizations have no contractual requirement to provide security and privacy validation, yet buyers do consider this when making purchases. McKinsey reports that consumers consider a company's security and privacy when making purchasing decisions, noting:
40% of all customers stopped doing business with a company that was not protective of customer data
53% of consumers make online purchases or use digital services only after making sure that the company has a reputation for protecting its customers data
To build customer trust, organizations implement tools that enhance their security posture. Unfortunately, in the process of protecting data, these tools create end-user frustrations or reduce productivity. These usability challenges mean that insiders try to find workarounds that lead to mistakes and insider threats.
Building Insider Digital Trust
Workforce members need to view security as an enabler rather than a burden. Too often, security and privacy professionals have been forced to choose between protecting data and ensuring workforce members can do their jobs. In the same way that organizations foster customer trust, they need to build insider trust.
By providing insiders with solutions that make security and privacy easier for them, organizations reduce the likelihood that people will find workarounds that undermine data protection objectives. When organizations think about their workforce members as consumers, they build internal trust that mitigates risk.
Look for Zero-Knowledge Solutions
Outside of their jobs, workforce members are consumers, meaning they consider privacy when making purchasing decisions. They want to know how their employer protects their information.
Organizations using zero-knowledge solutions protect themselves, but they also prove their commitment to employee data. A zero-knowledge solution never stores login credentials on its own servers. At the organizational level, this mitigates risks arising from a supply chain attack.
A vendor data breach compromises employee information. A zero-knowledge solution protects employee privacy as much as it protects organizational security by protecting the contents of these communications, since the vendor never stores that information on its servers. By showing commitment to employee data, organizations build insider trust.
Enable Security and Privacy Mindsets
People rarely, if ever, want to be a data breach source. For example, when employees use a "share with a link" functionality in a cloud workspace, they just want to be helpful or get their jobs done.
Security and privacy technologies should fit into how people already think about work. For example, end-to-end encrypted (E2EE) workspaces can provide the security and privacy organizations want with the end-user experience people expect. For example, an E2EE secure workspace builds security and privacy into people's daily activities by:
Encrypting data as they create it
Enabling them to send encrypted files, emails, and links
With these solutions, organizations implement security and privacy controls without blaming the end user. Workforce members feel trusted and respected.
Leverage Automation and Workflows
To build internal trust, organizations need to see security and privacy through their employees' eyes. People want efficiency. They want work-life balance. When security tools impact their efficiency, work time cuts into personal time.
When choosing security and privacy solutions, organizations must consider how the technology impacts employee workflows. When faced with cumbersome tools, workforce members will look for more efficient solutions.
By implementing solutions that incorporate automation and workflows, organizations build internal trust. Technologies that reduce end-user frustration enable employees to build security and privacy into their daily tasks without compromising their personal and professional goals.
The Circle of Digital Trust
People are the reason technology exists. It enables them. It makes their lives easier. It helps them make decisions. People use technology.
Security and privacy professionals must consider people when implementing technologies. Too often, the industry focuses on external stakeholders: their customers. Organizations implement security and privacy technologies to gain external stakeholder trust. By paying less attention to internal stakeholders' needs, they often create security and privacy gaps.
Companies must close the digital trust circle. They must implement the tools that enable their internal users to do their jobs efficiently and securely. In doing this, they reduce insider threat risk by building insider trust.
About the Author
You May Also Like