It is no secret that the majority of cyber-security incidents are, in some way or another, caused by negligent or malicious employees. In the context of developing a training program to minimize the likelihood of insider threats, we are only really interested in threats that are the consequence of employee negligence. After all, you can’t really train an employee to not act maliciously. Below are some examples of the types of negligent behavior that can put out systems and data at risk:
- Emailing sensitive data to the wrong recipient
- Falling for phishing scams
- Visiting malicious websites
- Ignoring company policy if it is inconvenient to them
- Using weak passwords or re-using the same password on multiple accounts
- Installing unauthorized applications on their device
- Ignoring software updates
- Disabling security features
- Using public Wi-Fi to access the company network without a VPN
Why is Insider Threat Awareness Training Important?
While employees might be our biggest threat, they are also our first line of defence, hence why insider threat awareness training is crucial if we want to keep our sensitive data out of the wrong hands.
Our employees must be sufficiently trained to identify and report on insider threats when they arise. In many cases, an employee will be able to detect an insider threat before even the most sophisticated threat detection software. This is especially true when it comes to spotting phishing emails, which are often able to evade most AV/SPAM filtering solutions.
If our employees haven’t received sufficient training on insider threats, they won’t understand why they are being asked to do certain things, and this could lead to resistance. For example, most companies will monitor the behavior of their employees. If the employees didn’t know the precise reasons why monitoring their behaviour was important, they will likely object to the practice, as it would be seen as a lack of trust and a violation of their privacy. Likewise, companies must be vigilant when it comes to restricting access to sensitive data. If employees are not aware of the importance of doing so, they will get frustrated and feel like the security team is making their life unnecessarily difficult.
Ensuring that employees are aware of insider threats will make them considerably more receptive to any changes in the software they use and security protocols they must to adhere to.
It should also be noted that under data privacy regulations such as GDPR, HIPAA and CCPA, insider threat awareness training is mandatory. However, simply ticking boxes in order to comply with the regulations is not the best approach, as it’s likely that the training won’t be as effective as it could be.
Insider Threat Awareness Training Tips and Best Practices
Firstly, insider threat awareness training must be ongoing, otherwise employees will lose focus and will likely forget what they have learned. Additionally, companies often hire new employees who will need to be trained accordingly. You will need to carefully monitor the effectiveness of each training session to determine how they can be improved. Below are some additional tips to help you develop an effective insider threat awareness training program.
Document the purpose and scope of the training program
You need to know who you are training and what you are trying to achieve. For example, regular employees will require a broad understanding of data security best practices, while system administrators and security officers will require a much deeper understanding of threats they face, and the means by which to mitigate them. If you haven’t already done so, you will need to carry out a formal risk assessment, which documents the most common types of threats your organization is faced with. You should use this assessment as the basis for your training program.
Determine which learning methods are suitable for which groups
As mentioned above, different types of users require a different type of training, which is also true for the specific learning techniques used. For example, you can have classroom-based learning, which is often the best approach when it comes to those who are new to the subject. By hiring an instructor to deliver a training course, students will have the opportunity to ask questions in order to clear up any ambiguities in the course material. Of course, this approach requires more resources, as you will need to create a course timetable, as well as hire or train somebody to deliver the course content.
Another approach would be to use software, which will require considerably less resources, although the students won’t have the same opportunity to ask questions. That said, you could use some kind of online support forum, which might work out better as they can read through the Q&As any time they choose. The software could include videos, quizzes, games, simulations and other interactive elements, to make it more fun and engaging.
All training material should be well-documented and easily accessible to ensure that anyone can refresh their knowledge anytime they choose. Likewise, companies can educate their staff by providing informative alerts when they attempt to perform risky operations, such as sending sensitive data via email, or installing an application onto their device.
Keep it fun, engaging and relevant
This may seem obvious, but it’s worth mentioning anyway. If the course is boring, there’s a good chance the students will switch off. Perhaps use a mixture of the training methods mentioned above and be sure to provide real-life examples of insider threats and their consequences.
If you are using an instructor to deliver the course material, find someone who is enthusiastic and willing to joke around. And, by all means, offer some free coffee and cake to those who attend. Creating an open atmosphere where students can ask questions will also help to capture their attention.
Put the training into practice
While tests and quizzes are useful ways to determine whether the students have understood the material, a more effective approach would be to carry out mock insider attacks. This might include sending out phishing emails or attempting to harvest sensitive data through some other form of social engineering technique. Doing so will give security teams a clear insight into how effective the training was, and any areas that need improvement.
While it is important to approach those who failed the test to explain to them what they did wrong, try not to make the feedback too negative. The most important thing is to get them on-board and ensure that they are willing and able to learn from their mistakes.
Should you insider threat awareness training fail, you’ll want to make sure that you have the ability to see which of your users are insider threats and be able to take action fast.
If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your sensitive data and protect you against insider threats, schedule a demo with one of our engineers or start your free trial today.