Building an Insider Risk Program by Focusing on People
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Armaan Mahbod of DTEX Systems lays out the blocks for building an insider risk program that places the employee at the center of focus.
While most headlines focus on external cyber threats, industry experts realize that these stories obscure the need to focus on insider risk, which poses a significant threat to all companies. According to the Ponemon Institute’s 2023 Cost of Insider Risks Global Report, it takes roughly 86 days to contain an insider incident at a cost of $16.2M, and the trend is heading upward.
Those numbers have made cybersecurity and IT professionals take a deeper look at their existing insider risk programs and have kickstarted organizations without insider risk programs to heavily consider starting one. Of the companies that don’t currently have an established insider risk program, 77 percent said that they have either started or plan to build one. A key challenge for those organizations looking to build their insider risk programs is how to move from conception to execution.
Building an Insider Risk Program by Focusing on People
Developing an Insider Risk Program Means Offering Support, Not Suspicion
The key to building an insider risk program is realizing that it’s about people, not technology. Most insider risk is non-malicious. According to MITRE Corporation, most insider risk comes from people who are not trying to cause harm to the organization but are simply trying to do their jobs. MITRE reports that one type of non-malicious risk is negligence, people who put the organization at risk through inattentiveness or carelessness. Sometimes, an insider makes a mistake, like publishing confidential information to an unprotected server. And sometimes, employees are outsmarted through social engineering attacks.
MITRE recommends developing insider risk programs that specifically address each type of insider risk. For example, companies should offer training on how to recognize phishing campaigns, and they should encourage employees to report those phishing attempts to IT. Companies should also have training to help all employees understand the importance of their actions in keeping the company safe. People are the first line of defense against insider risk. Companies should focus on creating a culture of trust that brings everyone within the organization into the fold to help mitigate risks.
Cross-Cutting Collaboration is a Must
Developing and implementing any major program within an organization involves change management. The champion for implementing the insider risk program should be skilled at working across silos within your organization. Insider risk programs reach across multiple departments, including HR, IT, cybersecurity and legal. HR needs to be involved because a recent study found nearly 75 percent of all insider risk investigations were started by the HR team. Legal needs to be involved for two significant reasons. The laws about what kind of data you can collect for your insider risk program vary from country to country and state to state. Your legal department will play a large role in helping you provide protections and safeguards for personal data. Also, if an organization needs to move forward with legal action, the legal team will help the insider risk team create consistent processes for how to start and conduct an investigation.
The program will also need the buy-in and support of senior leadership within the company. Insider risk is an issue that directly affects everyone within the organization, and a solution requires company-wide buy-in and support. To succeed, programs this widespread that touch on so many different departments require senior leadership to say, “This is important to us as an organization, and everybody needs to participate.” The mandate from leadership is an effective tool for removing potential roadblocks and rolling out insider risk projects, and the continued focus of senior leadership on insider risk is what drives those programs to be successful in preventing insider risks from becoming headlines.
Where Should Your Insider Risk Program Reside?
A critical step in developing an insider risk program is deciding where it needs to reside. Some companies have the program sit within the domain of the Chief Risk Officer (CRO). Focused on the strategic and operational risk for the organization, the CROs immediately understand the importance of having an insider risk program. They also have a direct line to the CEO, which makes them an effective champion for rolling out programs and finding the resources necessary to maintain them.
Other organizations have the program reside with the legal department. Every investigation needs to be handled with an eye to possible court proceedings. The legal team also has swift access to sensitive or classified data that might be required for an investigation that other departments might not be able to easily attain.
Immediate access to sensitive data is the reason why many organizations choose to house their insider risk program within HR. Many leaders think HR is the best department to develop a culture of trust that helps everyone across the organization buy into the program. Because insider risk is a people issue, and one of the key indicators of an insider threat is a change in behavior at work or an alteration in a person’s home life, HR is the department most likely to see and identify that marker. Also, HR is the best department to develop a culture of trust that helps everyone across the organization buy into the program.
Finally, CISOs and CSOs have security expertise, and some organizations rely on that experience to run insider risk programs. Regardless of where the program ultimately sits, the key objective of the leader is to understand where the insider risk champions are in each department and have their support to drive the program forward.
Putting It All Together
From inception through execution, developing an insider risk program is about people. While the final solution will involve technology, creating an insider risk program is about understanding the different types of insider risk and understanding how to manage them in a way that is proportionate and fair.
As companies are developing and deploying their insider risk programs, they need to communicate clearly with employees about the program. Employees are an essential part of the solution, and communication is vitally important in creating an effective insider risk program.
The leader of this communication, working in combination with the HR team, needs to be the insider risk champion. Every program needs a champion capable of working across silos to make sure the program has the support of various stakeholders across the organization. As insider risks rise, more companies are following the steps above to make sure that they have the right insider risk program in place to keep insider risks from becoming headlines.