Every Organization Board Should Ask About Insider Cyber Security Risks

The organization Boards are working in synergy with management to drive business growth — that’s the dream, right? A recent Cyber Space Council study notes that cyber security has been on the board agenda for some time. But cybersecurity is a broad topic – and not all areas of cybersecurity are created equal. Certain issues can compound over time and have long-term impact, if not addressed. There is one rapidly growing cybersecurity challenge that is still flying under the radar for many organizations is: “Insider Risk”.

Today’s “Cloud-First” and Hybrid-Workforce has shifted security leaders’ focus from insider threats to data security risks. The majority of data-leaks are accidental, not malicious. But regardless of intent, data leaks jeopardize the financial, reputational, and operational well-being of a company and its employees, customers, and partners.

Greatest Strengths, Greatest Risks

The pandemic was a massive force-accelerator for insider risk. Many businesses have increasingly built competitive advantage by fostering cultures rooted in speed, agility, collaboration, and innovation, using cloud-based apps and technologies to work smarter, faster, and better.

The Chief Information Security Officers (CISOs) say in the survey that, Data-security risk has escalated since the pandemic began and  employees are now 90% more likely to leak or lose files with intellectual property (IP) and other valuable data than they were before the pandemic began.

The challenge for Companies is they cannot afford to block all risky activity: the majority of this activity is everyday productivity and collaboration, critical to getting work done and empowering ingenuity and innovation.

To address insider risk, organizations must shift from policy-based to risk-based cybersecurity approaches by considering their insider-risk-tolerance. Its delicate balance between protecting valuable data and enabling speed, collaboration, and innovation.

Board Involvement in Cyber Security

Boards are increasingly focused on cybersecurity, but most of the organizations boards don’t see the full story on their organizations’ cybersecurity posture.

Executives and the board are frequently under-informed about insider-risk, according to Dr.Zakir Hussain, President of Cyber Space Council and he said Board members need to become literate in cybersecurity issues like insider risk and take a proactive approach to understanding and advocating for strategic prioritization of it.

“The board’s responsibility is to make sure that the executive team has a plan, is prepared, and is preparing the whole organization for the eventuality of an attack,” rather than merely reacting to every new security crisis, he mentioned to CSC.

Dr.Zakir mentioned, another major concern for businesses is employees’ smart-phones and apps which are increasingly able to track location, activity and even conversations. Our cyber security defenses fend off an average of 90,000 security events a day; many of those events are simply phishing emails, Insiders are more Vulnerable.

Moreover, board members should see the direct connection between how insider risk is managed—and critical business outcomes. Go too light on insider risk management, and the loss of IP or other valuable business data can hurt revenue and reputation and jeopardize the company’s long-term competitive advantage. But a heavy-handed, overly constrictive approach could stifle corporate culture by impeding collaboration and innovation, limiting long-term success.

Industry experts mentioned that, Ransomware facts are;

1. Every industry is vulnerable.

2. Always remember to back up and have DR Plan

3. Don’t forget to secure your remote workers.

4. Have a plan of action for a ransomware attack and have Cyber Insurance.

5. Have mindset that, You’re almost guaranteed to lose some of your data.

Asking Questions from Board

When it comes to insider risk, it’s up to board members to ask the right questions of their executive leadership team, including the CIO, CISO and chief executive officer (CEO). Here are some questions;

  • What factors covered in the organization cyber policy?
  • How are you addressing Cyber Risk and Compliances?
  • What key performance indicators (KPIs) and metrics are you using to evaluate exposure to insider threats, data loss, and theft?
  • What technology trends do you anticipate impacting the future of data security for the organization and are we prepared for them?
  • What external forces could most significantly shift your visibility into risk created by your employees?
  • How are you reassessing the organization’s insider risk in light of recent or upcoming changes to the workforce, such as generational considerations with Gen Z entering the workforce, hybrid work, and voluntary and involuntary turnover?
  • Readiness in the face of an event
  • What is the process for when a large-scale insider risk incident takes place?
  • How will the board be notified and involved? How will you evaluate impact?
  • Are you getting the right support and funding to address the insider risks within the organization?
  • What level of visibility does the leadership team have into the movement of valuable data off-network and to the cloud?
  • Understanding impact
  • How do we ensure we are going beyond the bare minimum for compliance and can feel confident that our security audits are accurately evaluating our insider risk security posture?
  • What is the cost to the organization of insider risk and insider threat investigations? How long do they take? What have we learned from recent investigations?
  • During the quarterly or semi-annual risk assessment, how are we evaluating the likelihood and impact of data theft across the organization?

Boards Can’t Afford to Ignore the Growing Challenge of Insider Risk

Since COVID-19, Countless watershed moments in the business world—from the way people work at the ground level to the relationship between boards and management at the top.

As organizations digitally enabled fast-paced, cloud-powered collaboration culture is critical to positioning companies to thrive in the new business environment. The boards must also recognize that achieving this potential hinges on a company’s ability to manage the exponentially growing insider risk that these new ways of working present.

As Board asks management-executives, “What are we doing to support Innovation?” “Digital Transformation Strategy?”  The boards must also ask the question, “What are we doing to manage Insider-Risk?”

Learn how Cyber Space Council (CSC) can help your organization to manage the complexity of growing Insider-Risk and strengthen your “Human-Firewall”, which is Insiders by up skill at Cyber Aware Academy.

To report spoofing or phishing attempts file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

#InsiderRisk, #HumanFireWall, #CyberSpaceCouncil, #CyberExperts, #FBI