Insiders pose the greatest single threat to digital security, and the conditions created by hybrid workplaces are making the risk even more acute. According to the Ponemon Institute, insider security threats have risen over 44% since 2020. Yet while we focus a lot of attention on the security challenges posed by remote workers, do we pay enough attention to their wellbeing?
Insider threats are not always malicious – they often result from negligence or coercion. Remote work can impact mental wellbeing, and criminals are exploiting that impact.
“Criminals put a lot of energy into trying to compromise people,” says Gerhard Swart, chief technology officer at cyber security company, Performanta. “The classic example is a phishing attack, which is a message masked to look like official correspondence but hiding a payload such as harmful software or a link designed to steal login details. Some attacks are very simple: leaving a USB stick lying around and hoping a curious person will plug it into a business computer, or encouraging someone to download a fun-looking app that hides monitoring software. These methods hope that an employee will be negligent and have a lapse of good judgement.”
The four types of insider threats
When employees feel stressed or isolated, they are more likely to make a simple mistake that has significant consequences. They could become targets for manipulation, and they might even feel disgruntled and justified to act maliciously on their own.
Insider threats can emerge through employees, customers or supply chain partners. Consultancy and research firm Gartner has identified four types of insider threats: pawns, goofs, collaborators and lone wolves.
Pawns unintentionally aid security breaches by clicking on dangerous links, downloading malicious software or accidentally giving their login details to a third party. Goofs are still negligent but more intentional: they actively ignore security policies and circumvent security measures.
Collaborators work with outsiders to commit security breaches and crimes, such as stealing company data. A collaborator could be a willing participant or pressured into the crime. Lone wolves are like collaborators, but they operate independently, usually for monetary gain, IP theft or revenge.
“In all four scenarios, wellbeing can be an issue. Personal tragedy, isolation, high levels of stress, miscommunication, and debt make them easy prey for cybercriminals. We just don’t think of cybersecurity in that fashion,” says Swart.
“The typical Hollywood image of a cybercriminal is some guy tapping on a computer while a clock runs down. But spycraft is a better comparison. Cybercriminals use techniques such as urgent language, emotional manipulation, and blackmail to trick people into breaching your security. They look for overworked, stressed or disgruntled people, offering them a sympathetic ear and a way to get back on top. They look for unhappy or overwhelmed employees,” says Swart.
Wellbeing leads to better security
According to the paper Employee Well-Being and Digital Work during the COVID-19 Pandemic, “working exclusively remotely was shown to negatively affect wellbeing in terms of workplace relationships and work-life balance.” It adds to a body of research linking remote working to eroding employee problems, which criminals aim to exploit.
Cybersecurity experts acknowledge the importance of people to a secure environment. Regular security training and testing, and a top-down encouragement of good security habits, are all staples of cybersecurity best practices. Yet the last two years have done much to erode employee wellbeing, and security teams should pay attention to this.
“Have you spoken to your HR department about where your people are at?” asks Swart. “Are there support systems for them? Do you know what they worry about or how they feel? It may seem strange to associate such empathic ideas with technical cybercrime defences, but a happy and alert employee is your best defence. They can spot attacks and warn you.”
The UK-based Chartered Institute of Personnel and Development highlights the following factors for better wellbeing:
* Physical health and safety
* Mental health and stress management
* Good workplaces with effective people management policies and autonomy
* Proper change management
* Clear company values and principles
* Collective and social employee engagement
* Positive, respectful relationships
* Opportunities for personal growth and career development
* Promotion of healthy lifestyles
* Financial wellbeing and support.
Good cybersecurity is not just about software, skills and training. It’s also about reinforcing people and making them the strongest link. Even though social distancing and remote working have weakened that link, the hybrid workplace is an opportunity for a new front in cybersecurity: a little empathy can turn employees from insider threats to security champions.