A positive company culture may seem like a cliche’ term, but it is much more. A positive working culture is not only beneficial to your organisation’s reputation, but also a critical component of your security strategy. While looking at the psychology behind insider risk, we explored the role of personal predispositions and stressors in the broader critical pathway to insider risk. Organisational responses, as part of the wider organisational culture, are just as important to determine whether an employee commits an insider act or not. When employees feel valued and engaged, they are more likely to contribute to a safer and more secure working environment.
Indeed, whilst organisational culture can be largely influenced by the senior leaders at an organisation, it should be a shared and promoted element embraced by all employees at every level extending throughout all organisational processes. These range from people- focused processes such as recruitment, on-boarding, and off-boarding, but also to outsourcing, due diligence, risk assessments and asset protection.
Culture consists of instinctive habits that employees learn and repeat through direct guidance or informal observation. They include emotional responses and establish a common norm for thinking, behaving and feeling throughout the organisation. But what is the link between organisational culture and insider risk?
Problematic Organisational Responses
Besides the personal predispositions of the insider, problematic organisational responses and behaviours are contributing factors to an organisation’s exposure to insider acts. If an organisation’s (security) culture is characterised by key shortcomings like a lack of enforcement, a reluctance to speak up, and excessive trust in employees. Indeed, research conducted by Gartner has identified a strong correlation between an organisation’s ethical culture and the number of security incidents they experience.
Organisational culture will also form the organisational behaviour in response to at-risk employees, including inaction, inattentiveness, or a lack of understanding of an individual’s predisposition or stressors. Certain actions taken by management in response to a potential insider threat could elevate the risk of an insider act taking place rather than suppressing it. Here, overly aggressive investigative steps, or harsh mitigation strategies like terminating an individual, increase the likelihood of the organisation suffering an insider act. For example, 80% of incidents of sabotage of critical infrastructure information systems were perpetrated by dismissed employees.
Landmark cases such as that of Cameron Ortis can serve as a telling example on the potentially devastating consequences of problematic organisational culture and responses to insider threats. Cameron Ortis served as a director general of the Royal Canadian Mounted Police’s national intelligence coordination centre (NICC). Ortis was charged with violating the Security of Information Act in 2019, with the illegal sharing of operational information to criminals and foreign intelligence agencies as early as 2015.
An independent review identified numerous organisational shortcomings that increased the risk of an Insider Risk damaging the NICC. Several complaints had been formally submitted to senior Canadian Police Officials over Cameran Ortis. The complaints had been repeatedly ignored for more than two years prior to Ortis’ arrest, with the senior leadership seeking “to avoid the situation, rather than act”, and the review concluding that the Police’s harassment complaint system was “significantly flawed”. Whilst effective action was taken by colleagues to identify and report Ortis’ concerning behaviour, a lack of functioning response mechanisms resulted in negligence and lack of adequate inquiry.
There are certain characteristics and elements of a positive, or generative, organisational culture that not only enhance employee satisfaction, but also reacts quickly to serious risks and constantly improves its responses.
- Building a shared identity at work. Shared identities are powerful for bridging divides, producing soladirty and the ability to work together. This can be done through building an environment of cooperation and activities encouraging a deeper connection between co-workers, and encouraging positive and anonymous dissent.
- Awareness, communication and training are crucial elements to enhance the understanding of security risks, making it more likely that employees recognise suspicious or malicious activities.
- Employee well-being efforts. These include actions geared towards enhancing employee well-being such as embracing a healthy work-life balance and options to maintain flexibility. Furthermore, checking in frequently with employees and creating spaces for employees to tend to their mental health needs.
- Leadership as an example. It is important that clear values and expectations are set, whilst also involving employee input in this process. It is then the leaderships responsibility to ensure that they lead by example. Furthermore, employees must feel that they can trust their superiors, whilst also being able to hold them accountable.
- Evaluation. Organisations should also ensure that employee satisfaction is measured through collecting data and anonymous surveys over the practices and the working environment to find ways to improve further.
To summarise, generative organisational cultures are characterised by high cooperation, training, shared responsibilities, and inquiry. Not only does this culture enhance employee engagement and satisfaction, but it also quickly reacts to serious risks and constantly improves its responses. The result is fewer incidents, less time resolving them and more time for productive business activities. The setting of clear expectations, provisioning of training and awareness material, promoting collaboration and leading by example are all efforts that not only work towards a better working environment, but a more secure and resilient one as well.