A recent study by MITRE and DTEX revealed that despite years of industry efforts against insider threats, there isn’t enough data – or systems advanced enough – to spot all malicious behaviour.
As companies work to build a corporate culture of cybersecurity, they’ve begun investing in zero trust architectures to proactively cover all attack surfaces. While this is a step in the right direction, this security method also has the potential to raise fear and generate negative responses from employees.
This is especially a concern amid the Great Resignation. Countless employees are leaving their workforce due to issues centered around work culture that no longer meets the demands of the modern employee. In fact, poor work culture is reportedly 12.4 times more likely than compensation to be the leading cause for turnover. If taken as a sign of mistrust and poor faith, zero trust security could spread resentment and demotivation among employees, potentially accelerating turnover rates and bringing the Great Resignation to its peak.
How can companies effectively navigate zero trust without creating friction among employers and employees? And how do they get there without the luxury of trust-building exercises in the close quarters of an in-office environment?
The thing is, zero trust doesn’t mean seeding mistrust throughout an organisation’s networks. Companies shouldn’t have to rely on technologies alone for protection. Security is best applied when it’s a team effort. In other words, successful zero trust relies on a culture of transparency, communication, and consistency across the board. When appropriately understood and applied, these efforts can create a sustainable zero-trust work environment. So, how do we get there?
Create a culture of transparency and communication
According to the World Economic Forum’s Global Risk Report, 95% of cybersecurity breach incidents are caused by employee error. Humans are prone to clicking on phishing emails or unknowingly executing malware, rendering the entire company vulnerable to cyberattack. Zero trust security solves this problem by covering all attack surfaces, including the human attack surface.
But zero trust also raises questions around trust and faith between the company and its employees. Won’t verifying every decision and every move create a ‘Big Brother’ culture of fear and paranoia? Most organisations struggle with this dilemma. But in fact, the solution – or part of it – is quite simple.
Even as companies begin implementing zero trust technology into their systems, they must also integrate it into their culture. Alert employees as to what’s going on, what the process of zero trust entails, how it impacts and benefits them as well as the company, what to watch out for, and how they can support the zero-trust process.
By engaging employees and challenging them to embrace a healthy dose of scepticism towards potential threats, employers are planting the seeds of security across their organisational skeleton. Once employees understand what’s going on and the value of zero trust, they too begin to feel trusted and are empowered to be part of the broader cybersecurity network. This pays in dividends as employees proactively identify insider and outsider threats to the enterprise, covering all surfaces and fostering good security hygiene.
Implement briefings and continuous training
Part of the security culture-building process is reliant on ensuring employees always feel prepared. This includes sending continuous updates on accurately implementing zero trust and providing security training programs. It is not enough to say that ‘x’ is good, and ‘y’ is bad. People from different backgrounds are likely to have different interpretations of security mistakes and mishaps. While bad actors exist, most insider threats turn out to be accidental and unintentional.
By providing resources, including regularly hosting briefings, insider threat programs and cybersecurity awareness training at all levels – from the c-suite down to the intern cohorts – companies are more likely to see zero trust implementation unfold organically. With the right information followed by an “open door policy,” employees will know they have safety nets to fall back on in case of error and will be well-versed in the host of security risks to watch out for and avoid.
There are always going to be threats that penetrate a company’s layers of security. But if employees are trained in sustaining the company’s security culture, then identifying and reporting these threats (be it a call, email or text) will become second nature. Trained employees are empowered and empowered employees empower the company, protecting it against any and all potential breaches.
Create tools and incentives for success
A culture of transparency and knowledge combined with trainings for preparation can help hone the skills that employees need for a successful zero trust environment. But when a culture of transparency may not be enough to keep employees motivated, introducing incentives for success can help.
Zero trust technologies deployed in an organisation don’t just have to keep a weather eye on the horizon. Try making their deployment fun. Many of these technologies rely on tech-adaptive authentication to allow employers to create a risk score based on how their employees use their devices. Have fun with these scores! Whether using them to help build healthy competition among employees or starting a rewards program based off top security scores, employers should look to incentivise participation.
By understanding user behaviour, employers can also provide custom support tools and resources employees may need – be it VPN, encryption, more training, etc. Use of these varied tools will help organisations cover all attack surfaces and create stronger security hygiene for all. At the same time, incentives for getting or maintaining high security scores will motivate employees to continue using these resources and updating their security as needed.
While zero trust technologies are available to cover all attack surfaces and protect organisations, they mean nothing without the people using them, so aligning company success and security with employee success and security is critical. This means prioritising a culture of transparency, open communication, trust in the process and faith in each other’s ability to do good. This, complemented by continuous trainings to ensure everyone stays on the wheel and nobody gets left behind, and various technologies to cover all attack surfaces and ensure optimal protection, can help create a network of armed and trained employees to defend against threats now and in the future.
By Gil Vega, Chief Information Security Officer at Veeam