Avoiding Alienation: Implementing an Insider Risk Program Without Losing the Trust of Your Employees
Insider risk is a major concern for organisations as it can have serious financial, regulatory and reputational consequences. Insider risk refers to the potential for employees, contractors, and other insiders to exploit their legitimate access to systems and assets for unauthorised purposes. Insider risk can be malicious, such as corporate espionage, theft of IP, theft of data or sabotage. It can also be unintentional, such as a lack of training or poor security practices leading to data leaks and breaches. There are numerous ways that organisations can protect themselves against Insider Risk. But successful program implementation relies heavily on not alienating the workforce in the process.
What is the scale of Insider Risk?
In 2022, the Microsoft report “building a holistic insider risk management program” established that the average organisation faces up to twenty insider risk events per year, with the financial cost often being more than $500,000 for a single event. This is before other factors, such as loss of brand reputation and trust, have been calculated. Inadvertent insider events are believed to be far more common but less costly.
There are some behavioural indicators which can identify someone as more likely to become a risk and a study conducted by the Centre for the Protection of National Infrastructure (CPNI) identified some demographic statistics, however, insider risk is notoriously hard to predict as the motivations and capabilities of insiders vary. An insider may deliberately seek employment within a specific organisation to conduct an insider act, or they may be triggered to act at some point during their employment either by becoming disenchanted by their employer or through coercion by a third party, typically a criminal, competitor or state actor.
Employees, contractors, suppliers and business partners are often the weakest links in a security system as they are able to bypass physical security measures and have access to vital systems and assets within an organisation. People, due to human nature are also susceptible to social engineering by hostile actors which can enable malicious acts to take place.
How can insider risk be mitigated?
Organisations can help to protect themselves against the damaging effects of insider risk by taking our top ten steps.
- Thorough vetting: It is important to conduct thorough vetting of employees, contractors, suppliers, and business partners relative to the level of access and privileges their role will entail.
- Implement strong security policies and procedures: They should be accessible and should clearly outline acceptable behaviour and the consequences of violating security policies.
- Ongoing monitoring: Both technical and human resources departments can play a role in ongoing monitoring to identify potential insider risks.
- Implement separation of duties: Ensuring that different employees are responsible for specific roles and responsibilities can help prevent any one individual from having too much control or access to sensitive information.
- Implement access controls: Limiting access to sensitive information and systems to only those who need it can help prevent unauthorised access and misuse.
- Strong security culture: A strong security culture can help to prevent insider risks by promoting secure practices and reducing the likelihood of human error.
- Training: Providing staff with a good understanding of security best practices can help them understand the importance of protecting sensitive information and can reduce the risk of accidental insider risk. Supervisors and colleagues should also be trained to recognise the signs of insider risk, such as unusual behaviour.
- Adequate channels for reporting: It is important for organisations to have clear channels for employees to report suspicious activity or potential insider risks.
- Implement an incident response plan: Having a plan in place for responding to an insider risk can help minimise the impact of an incident and prevent future occurrences.
- Thorough investigation: When an insider risk is identified, it is important to conduct a thorough and efficient investigation to understand the scope of the risk and establish how it could have been detected and prevented.
A key point from the Microsoft report was their change from a fragmented approach to insider risk to a holistic one. Insider Risk should not be managed in silos, for instance insider risks can be missed if financial problems or social media violations which are known to HR are not managed alongside events delt with by IT such as a change in working patterns or unauthorised access to data.
What are the drawbacks of Insider Risk programs?
One potential drawback of insider risk programs, especially via the large variety of monitoring products available, such as UEBA (user and entity behavioural analytics), is the potential for employees to feel that their privacy is being violated or that they are being unfairly targeted. While monitoring employee activity can be an important part of an insider risk program it is important to strike a balance between monitoring and maintaining employee morale
Another potential issue is the possibility of false positives, where an employee’s legitimate actions are flagged as potentially risky. This can be frustrating for the employee and the impact can be a lack of productivity.
Finally, implementing and maintaining an insider risk program can be resource-intensive and costly. To ensure the program is effective, It’s important for organisations to dedicate the necessary resources to correctly calculate the balance of their assets, vulnerabilities and security requirements.
How can employee trust be achieved?
The Microsoft report found that organisations that took a holistic approach to data security and developed a strong security culture were more successful in mitigating insider risk. A strong security culture that includes employer-employee trust, employee privacy rights, strong communication, and effective training can help to create a positive work environment while also reducing the risk of insider risks.
To create a strong security culture and find a balance between monitoring and optimal business performance, organisations can implement positive incentives such as morale-building events and strong employee training programs. Employees who are happy in their employment and have a good work-life balance are less likely to engage in malicious behaviour or make mistakes.
Organisations should communicate the importance of their insider risk program to employees to ensure that they understand how it will be implemented. By keeping employees informed and involved, organisations can minimise the risk of alienating staff and instead create a culture of trust and security.
When monitoring employees, one effective tool for improving trust is pseudonymisation, which involves replacing personally identifiable information such as names with pseudonyms. This can help to reduce the potential for privacy issues during false-positive events.
It is also important for organisations to have protocols for deleting investigation flags after a certain period. This can help to ensure that data is not retained unnecessarily and that privacy is respected.
In addition, it is important for organisations to ensure that those who are most likely to abuse or leak data are not responsible for investigating potential insider risks. This can help to reduce the risk of conflicts of interest and ensure that investigations are objective and thorough.
In Summary
Protection from insider risk should be a fundamental element of an organisation’s security strategy. For an insider risk program to be effective it should be holistic, A holistic insider risk program will have buy-in from management and will include the right people, processes, training and tools to manage insider risk. For instance, stakeholders should be from a variety of departments such as security, finance, legal and HR. Employee trust and training should be key priorities, employees who understand and agree with the program are more likely to support it.
By Hayley Elvins
Managing Director, Sloane Risk Group
Sloane Risk Group is a well known and trusted security consultancy specialising in protective security and counter-espionage. Our insider risk consultancy service assists with every aspect of an organisation’s insider risk journey starting from assessment of current security maturity, security culture and insider risk strategy development to the introduction of full insider risk programs, innovative technology solutions, enhanced vetting procedures, staff training and insider crisis event management and investigation.
0203 633 06 72
