Insider Risk or Threat Management (IRM) programs are quickly becoming a must-have for global organizations and enterprises. The risk of losing customer information, trade secrets, and other sensitive data due to negligent and malicious actors poses a real threat. The rise of the super malicious insider, recruitment campaigns by international hacker groups, and the loss of visibility of ‘at risk’ employees targeted by ransomware and phishing attacks makes understanding and stopping internally-born attacks critical.
While the threat from malicious insiders extends beyond any border, there remains a tendency to think of these programs as domestic. After all, if you’re based in the U.S. you need to comply with U.S. laws. Few companies are that isolated any more. As organizations expand their operations into new countries, they can’t assume their domestic IRM program can simply be applied “as is” in the new jurisdictions.
IRM programs need to account for the legal requirements for each jurisdiction where the company operates. This can seem daunting. The growing enforcement of the EU General Data Protection Regulation (GDPR) and the rapid introduction of “GDPR-like” data privacy laws across many different countries can make navigating an IRM requirements a challenge for even those organizations with well-staffed compliance, risk, privacy, and SOC teams.
For example, the company’s ability to examine and process employees’ personal email sent on work devices varies between countries. In the U.S. and U.K., employers are entitled to monitor private emails to establish whether the contents are business related. If the emails are clearly personal, the contents should not be processed unless there is a suspicion—and evidence—of misconduct. In the EU, due to GDPR, it is illegal in most cases to process the content of private emails. An employer may be permitted to open an email to establish whether it is a business or personal email, but processing must be ceased if the email is found to be personal.
Multi-national IRM policies also need to consider what data is captured about a user’s activities. An important part of managing insider risk is visibility to user activity. This, of course, includes which applications they are using, what data they are accessing, and the actions taken with that data. A typical IRM surveillance-oriented system can capture much more, including screen images and keystrokes. How and what the system captures has a significant impact on employee privacy and the steps required to protect employee privacy vary between countries.
To avoid running afoul of stricter employee privacy regulations, your multi-national policies and solutions should avoid intrusive surveillance tools. It is possible to protect sensitive data from insider risk while protecting user privacy, it just requires a different approach.
There is a lot more to understand about how to build a multi-national IRM program. Get in touch with our team today to schedule a meeting to discuss guidance for your multinational organization on Insider Risk Management and Employee Privacy.