Peter Erceg managed security for one of the largest mobile operators in the United Kingdom. He sat down with Dtex CEO Mohan Koo to talk about what it took to implement in an insider threat program in Europe, taking into consideration privacy laws, employee culture, and input from company leadership. You can watch the full interview above.
The conversation got us thinking about what it takes to implement an insider threat program in the UK. Here are our top three takeaways from our sit down with Peter:
Privacy Laws Aren’t a Road Block
Ultimately, the staff for organizations really want to make sure our customers’ data is secure, so they understand the concepts and are prepared to accept the software, provided we follow best practices.
At first glance, it looks like employee monitoring of any kind would be a no-go under Europe’s stricter privacy laws and workplace culture. But that’s over-simplifying the issue at hand. Dtex only collects metadata — no keylogging, screenshots, or any other invasive measures. This data can go through an optional anonymization process, which has proven useful to our customers in the UK and throughout the rest of Europe.
Most importantly, privacy compliance didn’t hinder Peter’s initiative. In fact, he said the implementing the program in the UK was as simple as having the right conversations. Which brings us to our next point
Communication is Key
A recurring theme throughout Mo’s discussion with Peter was the importance of communication. In almost all of his answers, Peter emphasizes how clear and open communication helped the project go smoothly. For example, he and his team spent time explaining to leadership and the board why Dtex was the right solution for their needs:
It was really about selling the solutions. It was about being the right fit, not being too heavy handed, not being too light being the right fit for the company to protect its customer data and the whole company going forward.
But this didn’t just go for leadership. Peter also emphasized the importance of transparency with staff and employees. In particular, he mentioned that it was important to explain to employees exactly what information was being collected and what it would be used for.
We really talked to them about the issue that we had, what we were trying to achieve, what the benefit to the staff was…But we [also talked to them about] what controls we replaced. That’s really important.
Don’t be Afraid to Be an Early Adopter
When Peter began building an insider threat program at his enterprise, insider threat wasn’t even a commonly recognized term — let alone a category of security software. As a result, he and his team had to do a lot of learning and development as they created the program.
When we started using insider threat software, it was very new in the industry. The tools were there. You had to develop it as you went along.
But with patience and an open mind, Peter and his team did manage to build a strong, effective insider threat program — even long before there was a label for their efforts. When all was said and done, their organization was more secure and they were ahead of the game when insider threat became a major issue years later.
Ready to Start Building Your Insider Threat Program?
Inspired by Peter’s story? Thinking of building an insider threat program of your own? The first step is to find out the real risks within your organization (and you have them, even if you think you don’t!). Our Internal Risk Assessment will give you a detailed breakdown of the threats in your enterprise. Enter your email below to see a sample Risk Assessment Report.