As most HR people know, at the heart of every thriving business are great people. However, to achieve and obtain such an equilibrium comes with challenges, especially as we face ongoing economic turmoil, Jamie Akhtar.
Evidently, for business leaders and HR professionals alike, it is almost always impossible to predict what comes next; be it a pandemic or cost-of-living crisis.
In fact, according to a recent survey by CyberSmart, conducted among senior leaders at small and medium-sized enterprises (SMEs) across the UK, nearly half believe that they are at greater risk of a cyberattack since the cost-of-living crisis.
But what happens when that threat comes from within?
What is an insider threat?
When it comes to cybersecurity, we often think about obscure and malicious criminals lurking on the outside, waiting to infiltrate an organisation’s network. We may do due diligence on third-party suppliers, set up firewalls, and spend thousands on monitoring tools to ensure bad actors are kept out. However, we often forget to assess the risk posed by one’s own employees. Statistics show that 38 percent of SME business leaders believe that an increased risk of cyberattacks during the cost-of-living crisis could be due to an uptick in malicious insider threats, while a further 35 percent believe such risk could be due to negligent insider threats. But what is an insider threat?
An insider threat is a person with authorised access or a comprehensive understanding of a system or business model that could potentially be used to cause harm to that organisation, maliciously or otherwise. Sometimes staff inadvertently introduce risk by clicking on a phishing link or sending potentially sensitive data to third parties. Malicious insider threats, on the other hand, have intent to create disruption or obtain information that could harm the business. Either way, an insider threat may lead to significant financial, reputational, or physical repercussions for the impacted organisation. In 2020, for example, two General Electric (GE) employees were charged for downloading thousands of files that contained trade secrets from company servers. They then set up a company using these secrets, which directly competed with and undercut GE in price, making GE lose out on lucrative contracts.
For HR professionals, it can be hard to think of their workforce, whom they have worked so hard to build and retain, as threats. Nonetheless, in times of turbulence, emotions are at an all-time high, creating the perfect breeding ground for mistakes and unwelcome behaviour. Take the current cost-of-living crisis as an example.
How is the cost-of-living affecting workers? And what does this mean for businesses?
A quarter of SME business leaders believe that staff are overwhelmed or concerned about meeting their financial commitments due to the cost-of-living crisis. Meanwhile, 29 percent of leaders admitted that salaries have stayed the same and 11 percent have reduced salaries, despite inflation soaring. Unfortunately, such discontent among staff may cause them to turn to other means to support themselves during this time, whether by committing financial fraud against the company or taking on additional work during contracted hours. Worryingly, a fifth of SME business leaders believe that employees will steal sensitive proprietary data from the company to sell for profit or for competitive advantage.
As stated earlier, the negligent insider threat is also a big worry. Arguably, they are an even larger liability than the malicious insider threat because they are harder to spot and tend to be more prevalent. For many, stress manifests itself physically which often results in mistakes, like falling for phishing scams. If we are in a heightened state of stress for an extended period, we enter a state of flight or fight, making it almost impossible to make rational or informed decisions.
How Can We Stop Insider Threats?
It is imperative that organisations cultivate a strong cybersecurity posture. The UK government’s Cyber Essentials scheme is a good and comprehensive place to start for SMEs. In addition to deploying malware protection and updating software, it is equally important to introduce regular cyber awareness training for employees, to reduce the risk of falling for phishing attacks and other employee-targeted scams. Likewise, having strong policies and procedures in place makes sure lines between appropriate and inappropriate activities cannot be blurred.
Moreover, knowing who has access to what systems or devices is key, especially across remote working environments. In particular, it is crucial that businesses operate on the principle of least privilege. That means limiting what employees have access to according to their specific job role, and restricting admin access to a select few. This will help reduce the amount of damage a hacker or insider threat can accomplish.
Last but not least, during a time of widespread staff layoffs and budget cuts, providing compassionate person-to-person support, within reason, is a good way of fostering an environment of care. Reducing elements of stress in times of worry can prevent employees from turning sour or simply slipping up.
People First Approach
Of course, the threat of cyberattacks today is also on the rise due to other external factors like supply chain fraud or nation-state interference. Nevertheless, addressing gaps within the business is a good place to start. In both cybersecurity and HR, people are a hugely important component of the overall ecosystem. Without people, nothing would ever happen, for better or worse. By focusing on what you can control (i.e attitudes towards cybersecurity and implementing appropriate security controls), cybersecurity risks can be drastically reduced.
Jamie Akhtar is the CEO and co-founder of CyberSmart.
Amelia Brand is the Editor for HRreview, and host of the HR in Review podcast series. With a Master’s degree in Legal and Political Theory, her particular interests within HR include employment law, DE&I, and wellbeing within the workplace. Prior to working with HRreview, Amelia was Sub-Editor of a magazine, and Editor of the Environmental Justice Project at the University College London, writing and overseeing articles into UCL’s weekly newsletter. Her previous academic work has focused on philosophy, politics and law, with a special focus on how artificial intelligence will feature in the future.