A fact widely recognised by IT security professionals is that, when it comes to cyber-security, humans are always the weakest leak. A strong security culture is required, but it’s not something that will emerge organically. Instead, it will take a significant amount of time and effort to develop and maintain. Organisations need to be confident that when their employees are left to their own devices they will be savvy enough to spot suspicious activity, make conscientious decisions and be willing inform others about any potential threats.  

When developing a security culture, there are essentially five main points to consider:

1. Security Belongs To Everyone

Organisations need to make this perfectly clear, otherwise employees may assume that security is the sole responsibility of the security department. Every Active Directory user has a role to play when it comes to maintaining the security of critical systems. For example, users with levels of privilege that they do not require in relation to their job requirements can be seen as security threats. That is why it is always advisable to maintain a policy of least privilege, where users only have access to the data that they require to do their job. As the majority of data breach incidents occur through insiders accidentally mishandling data, you need to ensure that employees with privileged access fully understand the significance of the role they play in maintaining data integrity.

2. Focus On Security Awareness

Organisations will need to ensure that staff members are adequately trained and able to quickly identify and report any potential threats. Likewise, application developers and testers will need to be aware of advanced application security principles and practices. Simple practices, such as ensuring that there are stringent password policies in place and that employees follow them rigorously, can help to create a security aware organisation.

3. Make Sure That You Have A Secure Development Lifecycle (SDL)

An SDL is a development process that organisations can use to develop secure applications. The process will typically include the following phases; Planning, designing, coding, testing, release and maintenance. Many SDLC models have been proposed, although the Microsoft SDL is probably the most widely used. 

4. Acknowledge & Reward Those Who Are Security Conscious

Identify and encourage staff members who successfully mitigate a potential security breach. Perhaps even offer a financial reward to those who successfully complete a security awareness program. Make it possible for employees to become certified security professionals and give them the opportunity to advance their career towards a more security orientated role. If you create a culture where the main focus is security and those that are security-conscious are rewarded, it is very unlikely that you will be the victim of a data breach through negligence.

5. Make Security Fun & Engaging

Let’s face it, cyber-security is not typically the most inspiring topic, especially when it comes to insider threats. When providing security training, try to be creative and make it fun, as opposed to making people sit through a PowerPoint presentation that sends them to sleep. Perhaps introduce some games, such as a security quiz, for example, that will test a user’s ability to identify potential security issues. Educate your employees by exposing them to real world scenarios and case studies where the effects of insider threats have been realised.

Culture Meets Technology

As well as developing a strong and persistent security culture, organisations will need to ensure that they are using the right technology in order to help protect their sensitive data from insider threats. Such technology will enable administrators to set and enforce rules to restrict access to certain parts of the system, as well restrict multiple logins and monitor failed login attempts. Auditing, reporting and alerting on real-time network access will help organisations respond to potential breaches in advance If organisations are not able to promptly and accurately determine who has access to what data, where the data is located, and when it was accessed, they will find it incredibly hard to keep their system secure from careless, or even malicious insiders.