The Insider Risk Management (IRM) world is filled with buzzwords. Phrases like “insider threat”, “the human element”, “zero trust” and “data exfiltration” have come to prominence as our community of IRM professionals has created new ways to talk about a simple concept: employees are a risk to your company’s security.
While this may be true, there are a host of reasons to soften the language around this message. First and foremost, we don’t want to risk vilifying well-meaning employees, who represent most of the workforce. It goes to show how tricky the IRM world can be: we want to protect our data, but we (rightfully) want to do it without alienating, offending, or casting aspersions on our employees.
From a communications perspective, securing a firewall is easy because firewalls can’t get offended if it’s referred to as a “threat” or an “attack vector.” When we’re talking about human beings, it’s important to take soft skills like communication into account as you go about executing your IRM strategy.
So, what does that look like in practice?
Offer Support, Not Suspicion
The ultimate goal of IRM communications is to foster a risk-first mindset among employees without making them feel untrustworthy or incompetent. Afterall, an effective insider risk program should underscore a trusted workforce. That means empowering employees instead of castigating them.
The first step toward achieving this balance is ensuring that the company is offering support, and not suspicion. For security professionals, this can be challenging. The natural progression is: see threat, eliminate threat. That doesn’t work when the perceived threat in question is a valued contributor to your team and you’re trying to develop a supportive culture. It’s important to understand that not all insider risks go on to become insider threats. Organizations should therefore refrain from calling their employees insider threats, as the term carries negative connotations.
Companies must view – and communicate the view – that employees are part of a trusted workforce who are a part of the solution toward mitigating internal risks, and not attack vectors that need to be protected against.
This means offering support through training and awareness instead of a blanket surveillance heavy approach.
It means demonstrating respect for employee privacy while clearly communicating security, HR and access policies to employees—new, existing, and departing.
Security teams that assume malicious intent can easily run afoul of employees (and their privacy) and risk alienating well-intentioned workers. Understanding why people behave the way they do enables organizations to determine what specific indicators can be used to proactively identify risk before it turns into a threat.
By developing that understanding, organizations have an opportunity to get “left of boom” and to decide and enforce the best course of resolution, in proportion to the level of risk posed.
To this end, DTEX has developed a communications framework for insider risk management to understand how best to communicate with employees to mitigate risk in a way that is proportionate and fair.