This week, on our blog, we have a guest post from Heather Scallan, SVP Global Human Resources at NTT Security. 


While hacks and attacks tend to drive most discussions around IT vulnerabilities, it is breaches which are often unknowingly carried out by a company’s own employees that pose the more persistent threat. With access to systems and assets, employees can cause far more damage than external individuals purely through lack of awareness or negligence. This can include loss of intellectual property, disruption to operations, customer confidence adversely impacted, reputational damage, and leaks of sensitive information to third parties, including the press.


So what are the potential threats and how do they happen?


Negligent insider threats are often the result of employees trying to work efficiently and at speed, a combination that can sometimes result in colleagues taking short cuts when it comes to established IT security protocols. 


We are all familiar with the dialogue boxes from corporate IT telling us to download new software or install new browser versions and security patches. But, be honest, how many times do we ignore these messages, and especially when we are busy and working hard to get ahead of emails. And how many employees unthinkingly install software from unauthorized sources in the belief that it will help them be more efficient and take time back at work? 


Given the scale of the threat posed by casual disregard, it is essential to create and sustain a culture of insider threat awareness across the organization –a set of security-oriented behaviors that everyone adheres to and are aware of. According to our 2018 Global Threat Intelligence Report, social engineering and phishing continue to prove valuable to attackers, which suggests there is still some work to be done when it comes to employee security awareness. 


What steps can we take to improve security awareness?


Executive leadership is needed to drive cultural change, together with HR’s ongoing involvement. A top-down approach demonstrates the importance of security for the organization’s strategic, long-term, overall well-being. The role of HR is to help embed security awareness in recruitment, training and through professional development. 


As HR practitioners at NTT Security, we play a vital role in creating a secure-aware organization, where Integrity, Diversity and Collaboration, as our core values, help shape our approach to security awareness. We do this by connecting with our employees to make sure they are engaged – and where security is very much an integral part of their performance focus – and understand the importance of security awareness. In this way, colleagues feel empowered to act as secure-aware advocates and champion the right behaviors. 


Making security awareness an everyday practice 


Colleagues can often be put off challenging fellow employees when they spot a potential breach in security awareness. But if approached correctly, and in the right spirit, where respectful challenge is very much part of the norm, then this can be beneficial. 


It’s worth noting that it’s not only junior and middle management employees that are being targeted. Senior executives are also finding they are particularly prone to social engineering and phishing attacks, which just goes to underline that security awareness needs to be front of mind, and an important responsibly, for everyone. 


In recent human vulnerability tests conducted by NTT Security on behalf of clients wanting to evaluate their total risk, senior management were found to compromise organizational security in as little time as ten minutes. As explained in a blog post here, holding a mirror up to senior management like this not only helps to improve security awareness at a senior level but, critically, also creates a more security-conscious culture from the top down.


HR departments should continue to work with CISOs, senior executives and management at all levels to lead by example, customize training and consider what kinds of insider threats colleagues in a particular operation might encounter, so that they are forewarned and forearmed. It’s about partnering with the CISO to achieve the right balance between company policy, security awareness training (SAT), and ensuring a culture where risk-aware behavior is the norm rather than the exception.