These days, the threat landscape for most companies is massive. But while there is a litany of outside threats that their security teams need to worry about, there is often an even greater danger much closer to home. Insider threats are an issue that no company is safe from, with breaches not just occurring at the hands of a disgruntled or malicious employee, but also unintentionally as a result of ignorance.
At this year's CSO40 Security Confab and Awards, Arthur Wang, ReSource Pro's information security and helpdesk supervisor, took to the stage to talk about mitigating those threats by spreading awareness and encouraging best practices for security and privacy. While many of the challenges his security team faced — being seen as an enforcer and not a partner, compliance issues, a limited budget, poor awareness of security policies, adaptation to new risks, etc. — would undoubtedly sound familiar to some, it's how Wang chooses to address those issues that's unique.
"Security is more than just policies and procedures," said Wang. "We must also consider the human element."
Considering the human element is where security teams tend to differ in their approaches. For some, the human element doesn't even come into play, and security amounts to little more than checking off the boxes to meet compliance requirements. Others, like KnowBe4, prefer to take the harsher approach and punish employees who make mistakes that may compromise company security in an effort to discourage negligence. Wang and ReSource Pro, however, take a more supportive, positive approach to spreading awareness.
One initiative, for example, was introducing a "Most Secure Process Department Award" to recognize achievements and contributions to improve employee awareness. The company even went as far as providing a monetary reward to the winning department.
Whether or not the approach of support over punishment works for all companies and employees remains to be seen, but the success of Wang's encouraging approach could at least be backed by stats. After running for a year and a half an issuing the award to eight processing departments, ReSource Pro found that 93 percent of its 1600+ employees had participated and 154 award submissions were received.
"The award created unprecedented employee engagement," said Wang.
And aside from increased employee engagement, there was — more importantly — a measurable positive impact on the company's security. "There was a reduction in security compliance issues," said Wang, who pointed to a subsequent downward trend over the years in the company's internal policy compliance issues. While there were six in 2011, there were only four in 2012, and then a mere there in 2013.
"With this approach, there was an impact on risk mitigation rather than technology prevention," he said.
Sign up for CIO Asia eNewsletters.