Far too often, information security teams have only the broadest overview of the wider workings of their organisations. Other staff, meanwhile, tend to have little knowledge of or interest in information security practices, which they often believe have been designed to hinder their day-to-day work.
However, when any employee with Internet access can jeopardise the entire organisation with a single mouse-click, it should be clear that the responsibility for information security lies with every member of staff and that security practices need to be embedded in the working practices of the whole business.
How your staff help attackers
Insider attacks are not limited to the malicious actions of rogue staff. The term also refers to the unwitting behaviour of improperly trained employees, or to the exploitation of inappropriately applied privileges and poor password practices by malicious outsiders.
Staff need regular training on information security practices to ensure they’re aware of the risks they face on a daily basis.
People, processes and technology
The vast majority of malware is spread by drive-by downloads and phishing campaigns, both of which exploit human error.
Even if you use robust antivirus and anti-malware solutions, conduct regular penetration tests, and ensure you keep your systems up to date and install the latest patches, your system could still be compromised thanks to the actions of a careless employee.
This is why a best-practice approach to information security – such as an ISO 27001-compliant ISMS (information security management system) – follows a holistic approach that addresses people as well as processes and technology.
Staff awareness solutions
If your staff don’t take responsibility for their actions then your organisation opens itself up to greater risks than it needs to.
Training, tools and thought-provoking activities can make your staff aware of the cyber risks they face every day, and suggest actions and procedures to minimise those risks.
IT Governance has an extensive suite of staff awareness solutions to help you educate your staff, including:
Our hassle-free, cost-effective e-learning courses emphasise the importance of compliance and security, develop good habits and put you on course to achieve and maintain accreditations such as the PCI DSS (Payment Card Industry Data Security Standard) and ISO 27001.
- Training aids
A mix of training and awareness methods will help you enforce your messages. We have a range of training aids that you can incorporate into your staff awareness programme, including phishing awareness posters and information security cards.
- Customised books
IT Governance Publishing (ITGP)’s bestselling books provide information governance, risk management and compliance expertise from renowned industry practitioners. You can customise any ITGP title with your own branding with our Branded Publishing Service.
- Security awareness programmes
Larger organisations looking to raise awareness of issues such as data privacy, information security and cyber security might be interested in a customised security awareness programme that combines the above with other elements, including e-learning courses, staff newsletters, awareness nudges and more.
Need more in-depth information about insider threats?
If you want to find out more about insider threats and how to mitigate them, you might be interested in Insider Threat – A guide to understanding, detecting, and defending against the enemy from within.
This book is the ideal resource for anyone looking to learn how a security culture based on international best practice can help mitigate insider threats to your security.
It looks beyond perimeter protection tools and details how to build a defence programme using security controls from the international standards ISO 27001 and ISO 27002, and NIST SP 800-53.