But the key to turning the tide of these threats is the tailored and compelling scheduled and ad-hoc awareness training for employees, taught by approachable and experienced security staff, is really the way to go. Why? It's all about the people.
Here are a few ideas:
- Educate and train employees semi-annually on security and what the latest threats are- contact the local FBI office for the most current information.
- Ensure that proprietary information is protected and limit access to those systems staff needs to do their jobs. When employees leave or change jobs, promptly revoke access.
- Ensure comprehensive due-diligence research and background checks before hiring new employees.
- Provide non-threatening, convenient ways for employees to report suspicions.
- Routinely monitor networks for suspicious activity. Publish anonymized results of audits so employees will see that polices are being enforced -- this will serve as a strong deterrent to those who may not "do the right thing when nobody is looking". On the other end, reward those employees who are of service to their fellow employees and the Organization.
Will this proven method of engaging the workforce to be partners with HR, managers, and security result in increased vigilance and identify the next disgruntled employee or malicious contractor like Snowden?
A review of past espionage cases suggests that many, but not all, display indicators that should have (and sometimes did) arouse concerns on the part of co-workers and were reported. But not all culprits display such indicators to co-workers, which is why sophisticated data encryption, two-factor identification and threat detection software that is behavior-based is also critical to meeting the threat.
While there is much to be said for a blended approach to this issue, we cannot afford to ignore the single most powerful defensive tool our security toolbox -- fellow employees who are aware of the various threats, understand basic warning signs of concerning behavior, and know whom to call so as to possibly avert the next data breach.