When we think of insider threats, the common image is that of a disgruntled employee who takes out their anger on their employer or their manager. Research from the University of Central Florida reminds us that this is seldom the case.
While investment in cybersecurity has risen considerably in the face of a huge increase in attacks during the pandemic, often this investment has focused on technologies to try and keep data and systems safe. While such investments are worthwhile, the most vulnerable part of any system is almost certainly going to be us humans. The authors highlight that when organizations do have cybersecurity training, there is often an implicit assumption that insider threat attacks are done with malicious intent.
The reality, however, is that our failure to comply with the cybersecurity processes of our employer is more likely to be driven by stress. The researchers quizzed around 330 employees who were working remotely during the Covid pandemic. The workers were asked about their adherence to the cybersecurity policies of their employer alongside things such as their stress levels.
They followed this up with in-depth interviews with a group of 36 employees to try and get a better idea of just how the shift to remote working as a result of the pandemic may have affected cybersecurity. The results show that adherence to security policies was pretty intermittent. Indeed, on a typical workday, 67% of participants said that they had bypassed official cybersecurity policies at least once, with there being a 5% chance that they would do so on any given task.
It should perhaps be self-evident that breaches on this kind of scale are unlikely to be driven by widespread discontent with one’s boss or employer, and this was indeed what the researchers found. Indeed, the top response when asked why people circumvented security protocols was that doing so better helped people to get things done, either for themselves or for a colleague. This reason accounted for around 85% of all intentional breaches of the security rules. Contrary to popular perception, an intentional desire to cause harm only accounted for 3% of the security breaches. To put that into perspective, that makes non-malicious breaches around 28 times more likely than deliberately malicious breaches.
Importantly, the relatively benign breaches were far more likely on days when employees were suffering from stress. This strongly suggests that being placed under stress reduces our willingness to abide by rules if those rules are perceived as stopping us from doing what we need to do.
The causes of stress are oft-cited and include family demands, job insecurity, conflicts with our colleagues, and even the demands of the cybersecurity rules themselves. However, there was a clear link between the pressure people faced to do their job and the belief that cybersecurity procedures inhibit their ability to do that job as effectively as they felt they needed to. Adhering to protocols often resulted in feeling like jobs take more time or effort to complete, with employees also complaining that the protocols made them feel like they were being monitored and couldn’t be trusted.
The researchers accept, of course, that their findings were a result of self-reporting from participants, so they would only be able to report on cybersecurity breaches that they were themselves aware of. This will mean that breaches as a result of a lack of knowledge or poor practice will have almost certainly been overlooked because people only know what they know. The findings do nonetheless remind us that insider threats are seldom the result of malicious and deliberate intent but rather due to a lack of training or intense pressure to get things done as quickly as possible.
Reducing the risk
So what can managers do to improve adherence to the guidelines and, therefore, the security of their systems? A good first step is to appreciate that the overwhelming majority of security violations are intentional and benign. People simply want to get their work done as efficiently as possible, so cybersecurity training should work on that basis and inform employees how they can do this while still remaining secure.
It’s also important that people feel confident enough to speak up whenever they breach security policies, as the quicker they can do this, the quicker the challenge can be addressed, and any security risks plugged.
"How do people react when the employee makes a mistake," Kaspersky’s Chris Hurst says. "It's crucial that if employees make a mistake that they're confident enough to open up about it and escalate it to people who can do something about any possible risks involved."
It would also be prudent to ensure that staff are included in the development of security protocols. This would help to ensure that protocols aren’t developed that would inhibit people’s work and result in them striving to find workarounds that reduce the effectiveness of the protocols themselves. By better understanding how protocols affect people’s workflows, security teams will have a better chance of adherence. This is especially important as people have moved to remote working and therefore taken on different ways of working.
Of course, tackling the stress and pressure that workers are under would be no bad thing either, but perhaps the key takeaway from the research is that the way we design our jobs and the way we design our cybersecurity are intrinsically linked. With cyberattacks on the rise and affecting most organizations, it’s no longer good enough to assume that insider threats are the result of a few bad apples but rather the poor way in which jobs and security protocols are designed. Once we grasp that, we can perhaps start to make positive headway.