The healthy security culture is one where everybody is all in on security within the organization. And transparency is critical for building a healthy culture that values security.
Employees should know from Day one that your organization tracks anomalous activities in their systems, including file activity.
They should understand that the program is applied universally and without privileges or exceptions,
and they should understand how the program is designed to support their productivity while protecting the business.
let's hear from Mary Neuville and Chris A. Freeman about what a transparent insider threat program could look like
when it comes to data security. Many times there's a paragraph in the employee handbook about data ownership.
The new employees signs the form, acknowledging they agreed everything and then every year, the employee science, another acknowledgment that they have read the security policy as part of their annual training.
This type of trading is not engaging and is quickly for gotten.
Many of the prepackaged employees insider threat trainings we reviewed were dark, gloomy and encouraged employees to monitor and report on one another.
However, transparent communication and assuming positive intent can go a long way to building a culture where all employees understand what the acceptable use policy is, can help each other be secure and are empowered to be an important part of the solution to protect the company.
Security works best when it's ingrained in company culture and visible in daily life.
Think about the security objectives and programs in your organization with two basic questions.
Our employees aware of their responsibilities
and are they given the tools and education they need to succeed?
So here's a few suggestions for implementing transparent communication
acceptable use policies presented to employees frequently, for example, at log in or on their lock springs
employees lifecycle training
to ensure that new employees, old hats and a parting our role transitioning employees are aware security policies and procedures,
education and awareness training
that is tailored to your company and links employees to policies or tools they can use to work securely, for example, pointing an employee in the right direction to get them access to approved cloud collaboration jewels and finally telling your employees on day one what your security team will be monitoring
at Code 42. Part of an employee's first day is spent with our I T and security specialists explaining the house and the wise of our security policies,
along with badging in and out individually through doors. Special attention is given to encouraging a culture of security,
locking laptops when not in use and using secure passwords.
We tell employees on day one that we're gonna fish them. We explain. We're not trying to catch anyone, just simply giving them the tools to be successful and to guard against riel malicious emails that are bound to come their way.
Believe me, this gets employees aware and on their toes right out of the gate.
Additionally, we tell them what our team watches in terms of data exfiltration to help them avoid simple mistakes. The value of that alone minimizes alerts and opens the door to encourage clear communications to the security team when they need to move files for legitimate business reasons. If you can shave innocent mistakes off the top, everyone wins
from day one. Every employee knows what is expected of them. Security is part of our day to day.
The security team was looked upon as a partner in the business rather than an adversary. Ultimately, every employee is on security team.
You may be thinking that this level of openness and transparency isn't suited to your organization's culture, and that's all right.
Your insider threat program should be tailored to your company's needs, which includes the culture.
If you're uncomfortable with a completely transparent insider threat program, you can utilize an ambassador program where your security ambassadors act as liaisons between security and the people in their departments.
This type of communication can be less formal and less intimidating for the receivers and helps everyone keep up on security issues and policies
by openly communicating what is being watched four and why
everyone is on the same page. And with a healthy security culture, your insider threat program will be easier to manage and, overall, be more effective.