The Carebear Stare and The Reading Rainbow. Using childhood philosophies against adult threats, minimizing and eliminating insider threats through loyalty and education. Types of Insider Threats. Infiltrators- Those who sought employment in the company for the purpose of exploiting
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
The Carebear Stare and The Reading Rainbow
Using childhood philosophies against adult threats, minimizing and eliminating insider threats through loyalty and education
Motivations for insider threats according to a CERT report published in 2012
Here we can see where our career employees do come into play, finances can account for infiltrators or employees. Revenge, however indicates a personal motivation, unlikely in an infiltrator. Unless your company specializes in giving cancer to babies, in which case pretty much everyone hates you.
Your employees are your greatest asset in every sense, for profits, productivity and security. Bringing your workforce on board your security team gives you security at every level of the company and more information than any monitoring software could ever hope to achieve.
By showing and earning trust you can add loyalty to your defenses, a trait which, when strong enough, can overcome greed, theft, and slights real or imagined.
Let them know they aren’t an enemy
Be open with your employees that you don’t consider them an enemy. Let them know you’re on a team fighting against outside threats and infiltrators.
Teach them to identify potential threats
Educate employees on how to identify infiltrators, or just something that feels off. Encourage them to voice concerns without fear of being blown off or “getting someone in trouble”.
Teach them secure practices
Obvious yes, and you likely already have this in place to some extent. Consider though if your training needs an overhaul, or if some of your current security measures could be cut in favor of more extensive training.
Teach them how this benefits them personally
When you educate on secure passwords, cover the whys and draw real world examples of how they can use this knowledge in their personal life, say for keeping their bank account secure for example. Engaging employees on a personal level will result in better knowledge retention and inspires goodwill.
Open Door in IT
Do not be condescending to “users”
It’s hard, sometimes people ask terrible questions or throw fits over things of insignificant proportions, but they are still people and they are still part of your team. Learn to appreciate the skills they bring to the company and try to share knowledge rather than belittle.
Encourage IT to be viewed as a friendly resource
Make the IT department open door, encourage employees to voice concerns. IT is in a unique position to listen, they aren’t management or HR, there is not stigma of “tattling”, and they can make the best of information received, through discrete monitoring and threat assessment.
Once you have employees willing to talk, actually listen or they’ll never bother talking to you again.
Cut Invasive Measures
Weigh all security measures against invasiveness
Start with all the policies you have in place, weigh their success against perceived invasiveness, get feedback on what employees dislike most. Be vocal when you retire a known policy, share with employees your desire to trust them. Explain you would rather spend the budget on raises and bonuses than any superfluous security measures and encourage their aid in making that happen. When a new security measure is considered, always take impact on employees into consideration and if necessary explain why an new measure is being adopted.
Be discrete with policies deemed necessary
Keep little known policies little known, don’t try to scare employees by reminding them you can read their emails or that you track server usage. Fear will not inspire trust and is an insufficient deterrent to the angry or desperate.
Morale and HR
Build solid lines of communication with HR and Management
When a concern does arise over a possibly disgruntled or struggling employee, IT should hear that concern immediately. This doesn’t require sharing sensitive or private information about an employee. A simple request to increase monitoring or a number code to indicate level of concern is sufficient.
Take an active interest in morale building
IT departments should keep a close eye on the company’s general morale, and make efforts to keep security a continuous topic on everyone’s mind. Hold a security contest. Call employees and try to social sensitive information, recruit your security team to attempt to follow employees in through key card access doors. Publicly reward those who handle it successfully, provide one on one training for failures, not disciplinary action. Handled properly, regular contests can be entertaining and will sharpen skills while keeping security threats on everyone’s mind but not in an oppressive way.
In the end this all comes down to the golden rule, the more loyalty you build and the better you educate the better your chances of eliminating threats that stem from ill will or ignorance.
Harming you becomes difficult for me because the two of us are part of We.
Cultivating the We mindset benefits employees and the company from a financial and security standpoint