A hydrologist will tell you water runs downhill. The same goes for policy decisions within companies, regardless of size. If leadership isn’t investing in an initiative beyond their initial messaging, then the downstream message flow will be the equivalent to an arid desert arroyo. A sudden flash and then, without leadership, support evaporates into thin air.
Transparent leaders are the most effective leaders. This is especially relevant when it comes to the level of physical and technological surveillance present in the organization. All this said, it’s no wonder insider risk program management is difficult. Messaging is hard, managing expectations is hard, and being fair, yet decisive, is hard. If it were easy, we’d call it leisure. This is work.
Insider risk management solutions aren’t ‘plug and play’. Before considering implementing any technology, one must first understand what the technology will solve, and, most importantly, how.
Leadership supported by technology
Leaders tell us the pathway to solution involves people, process, and technology. Trust, while not highlighted enough, is always implied. The people involved can be trusted to make the best decisions based on available resources and knowledge. These same leaders drive strategic direction in the development of the insider risk management strategy which is focused on governance, risk, and compliance (GRC).
Those who have engaged with DTEX’s i3 team know that measuring risk is key to understanding what ‘must’ be mitigated, what ‘may’ be mitigated and what will have to ‘wait.’ The answer is rarely in the purchase of additional technology. The answer almost always is to improve messaging to change understanding and in turn behavior.
Technology is the support mechanism brought in to make things happen, while the people, often saddled with the moniker “the weakest link,” are the anchor. It is the people who design the processes, create the procedures, and choose the technologies that ensure those processes sing like a well-rehearsed choir.
Proportionality and balance
Every industry must embrace GRC to identify their roadmaps to a lower risk state. For this reason, the messaging on the technological capabilities used to measure and monitor must be on point and accurate. Furthermore, great care must be taken to be proportionate in one’s efforts.
Proportionality isn’t as complicated as one may think. Those who enjoy the greatest level of access, should also enjoy the greatest level of surveillance. In keeping the level of “observation” at a reasonable and understandable level, trust is fostered, and the business isn’t constipated by individuals unwilling to act because every action is being scrutinized under the assumption it may be malevolent.
If anomalous behavior is detected, then it is reasonable to investigate, but only in proportion to the alleged activity.
They shouldn’t have access!
Is your network secure? This isn’t a trick question.
It is, however, a question that helps define one’s understanding of the philosophy of “assumed compromise or breach”. The organization that recognizes that they don’t have everything locked down but is addressing their gaps is stronger than the entity that spews BS to customers and leadership about being 100% secure. Honesty builds trust. And the position of “assumed compromise” is table stakes.
The playbook used for departing employees should include the following: Remove from network; isolate devices; exit interview; attestation all company assets returned (including data). In 99 percent of companies, the employee walks out the door and the threat posed by the individual is considered mitigated.
Whether the employee was shown the door or exited on their own, the reality is that one must operate from the position of potential continued access (assumed compromise). Shared credentials, sharing of credentials, and filching credentials are all means by which former employees can and do access the infrastructure of their former employers.
This was evidenced when an employee departed Allen & Hoshall, a design and engineering firm located in Memphis, Tennessee, voluntarily, yet managed to squirrel away access credentials to his employer’s databases. That access, exercised over a two-year period, allowed him to set up a competitive entity and successfully compete against his former employer.
What you say matters
Recently, Australia’s Home Affairs Minister, Clare O’Neil’s flatly rejected the Optus claims regarding their breach. Her message? “Do what you say you are going to do.” Optus claimed they were secure, and that a sophisticated attack was behind their breach. O’Neil says Optus left the door wide open.
Those of us long in the tooth know the word “sophisticated” occupies the center-square in the infosec game of buzzword bingo. “Sophisticated” means it was either too complicated to understand or so simple that one doesn’t wish to share their public embarrassment. In the Optus case, they said one thing and according to O’Neil were doing something quite different.
What you say and how you say it is of importance. When the ugliness of broken trust by the insider does raise its head, the messaging to all concerned must be crisp, it must be accurate, and it must be timely. Companies will be well served to spend a few moments on putting together a section on crisis management communications within their insider threat remediation playbook.
Organizations could consider adopting the acronym P-E-A-R-L to help prioritize:
- P – people
- E – environment
- A – assets
- R – reputation
- L – learnings.
No one enjoys learning a colleague, vendor, or a customer was dishonest and took advantage of the shared trust.
In closing, operate from the assumption of compromised systems. Be open and transparent with your workforce on the level of surveillance present in your organization. Understand that trust forms the bedrock of the environment where employees are fully invested and engaged, so much so, they go to great lengths not to put it at risk.
See “When Business Gets Personal” for the first in this leadership series from Christopher Burgess.