Every company has them, some more than others. They are at home, across the seas, or down the hall. I am talking about your colleagues, partners, vendors, and customers, all of whom make up the ecosystem of your business success or failure. It stands to reason that the individual is the most important ingredient in any and every insider risk management (IRM) solution. In this blog, I will argue ferociously that the human is the most important and strongest link in any insider risk program.
Insider Threat Prevention: People or Technology?
I met several people at the recent RSA Conference who were trying to ‘hook up’ (pun intended) their technological solutions to the insider risk bandwagon and calling it the panacea. Indeed, technology is important. At its best, the tech stack enables you to understand the who, what, where, when, why, and how of data movement – historically and in real time – in support of an investigative effort. But technology alone is not enough.
As DTEX Co-Founder and CTO Rajan Koo eloquently put it, “An organizations’ best insider threat sensors are not cyber sensors (despite what software vendors might tell you), they are people (colleagues, HR, Legal, Finance, Logistics, and Reception).”
People are the best insider threat sensors and should therefore be the focus of an insider risk program – not technology. Importantly, focusing on people must not be confused with heavy-handed monitoring or surveillance. More on that later.
Smart security teams understand that people are human, and that human crises and vulnerability are part of life. These security teams put in place checks and balances so that when life does happen, employees are supported – not punished. This is where an Employee Assistance Program (EAP) offers tremendous potential.
Research published by the National Institutes of Health found that EAP use is associated with increased productivity, engagement and life satisfaction, and reduced absenteeism and workplace distress. By supporting individuals in crisis with an EAP, organizations can positively influence their employees’ mindset away from a vulnerable state that leaves them prone to human error and thus insider risk.
While not every entity has pockets deep enough to fund a full-blown EAP, every entity has the capability to invest in their colleagues by creating a compassionate work environment.
How Empathy Reduces Insider Risk
DTEX Co-Founder and President Mohan Koo has echoed this sentiment in the past in his case for a Trusted, Respected, Protected, and Valued Workforce. By creating a mechanism for listening and responding to the evolving needs of employees, organizations can create a ‘safe’ environment that translates to better business outcomes and improved overall security.
This includes reduced insider risk by both the benevolent and malevolent employee. In other words, a trusted workforce underpinned by empathy creates more attentive employees, partners, and contractors, reducing all types of insider risk – The Good, the Bad and the Indifferent.
Powering a Trusted Workforce Through Communication
In my piece, Insider Risk: When Business Gets Personal, I explained the importance of communicating what the organization is doing, and also what they are not doing as a way of driving a trusted workforce. Employers that are transparent about their employee monitoring capabilities and uses are far more likely to earn employee trust and respect than employers that are ambiguous or secretive about their technology use.
At the end of the day, trust forms the bedrock of an environment where employees are fully invested and engaged, so much so, they go to great lengths not to put it at risk. Of course, messaging and managing expectations in a way that is fair and decisive isn’t necessarily easy. Afterall, insider risk solutions aren’t ‘plug and play’.
It is important to be proportionate in one’s efforts when dealing with individuals – whether they be employees, contractors, customers, or vendors.
To that end, DTEX has a couple of helpful resources available on this topic; the i3 Team’s Insider Risk Communications Framework and the Insider Risk Resolution Decision Tree both offer practical ways of communicating with employees to mitigate and resolve risk in a way that is proportionate and fair.
The Data Piece: Choose Quality Over Quantity
Data also has a role in putting the human at the center of your insider risk strategy, but only to the degree that it proves valuable. In the context of insider risk management, data should simultaneously provide actionable insights, preceding a data exfiltration event, and protect employee privacy to safeguard the trust quotient as outlined above.
In my article, Proactive Insider Risk Management A Case for Technology Consolidation, I write about the shortcomings of traditional point solutions in generating high levels of false positives and invading the employee’s fundamental right to privacy.
When selecting a data platform, one must consider the context the platform provides, for without context, there is no way for an analyst to judge good from bad. In this sense, context refers to the way employees interact with the tech stack: their behavior. When data captured lacks important behavioral context, analysts are left guessing, wasting valuable resource time while genuine insider risks turn into threats.
All on the Same Team
Addressing insider threats is rarely about purchasing more technology. It’s almost always about improving internal messaging and culture to educate and empower employees in a way that influences positive behavior change.
The needle we thread with insider risk programs is a narrow gauge. When your team is all in the canoe, rowing in the same direction toward the same goals, your chance to be successful increases dramatically.
By focusing on people through culture, communication and actionable data, organizations can create a trusted workforce, where people thrive, and mitigating risk is on everyone’s agenda.