Building an Insider Threat Program Without Becoming Big Brother

I don’t believe that there’s an enterprise in existence that wouldn’t benefit from an insider threat program. Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. I know that’s not easy to hear, but it’s true.

Consider a survey conducted by Osterman Research. The survey found that 69% of respondents experienced significant data or knowledge loss as a result of employees taking information with them when they left, as Andy Patrizio wrote in his CIO story, Sensitive data often follows former employees out the door.

“ Nearly every enterprise will experience repeated data theft and confidential data exposure as a direct result of the accidental or deliberate actions of one of their trusted insiders. ”

Despite how pervasive and serious the risks posed by insider threat are today, few organizations have an insider threat program in place, and fewer still have an effective insider threat program.

There are a number of reasons insider threat programs aren’t very common. The first is that getting started in building an insider threat program can be overwhelming – even though it doesn’t have to be. Some of these challenges are technical, such as the failings of traditional data leak prevention products. Other challenges are cultural; for instance, many organizations fear that their insider threat program could turn into a Big Brother level of oversight.

However, when done right, an insider threat program doesn’t have to become Big Brother. In fact, it doesn’t have to become overbearing or negatively affect culture. In this post, I share the key insights I’ve learned that will help any organization get started with an effective insider threat program that won’t turn into Big Brother.

Earn the support of your executives

It’s true of any data security program, but especially for an insider threat program: to succeed, you need to have the support of business leadership. It will be your organizational leadership that ensure the program gets the continuous funding it needs as well as the political backing to overcome any speed bumps that arise.

Obtaining that support is best achieved by articulating to executive leadership the real-world risks to the organization so that they understand the threats and how important it is to fund and support such an effort. This will require detailing the types of data risks your organization faces and the strategy for mitigating those risks.

Earn the support of stakeholders throughout the organization

Partnership from other business stakeholders, such as the legal department and human resources, also are essential. If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. If these departments are not engaged with the insider threat program, you run the risk of having an ineffective program on your hands.

“ If you are trying to build effective data security and insider risk management processes into your employee onboarding processes, job changes, and terminations, then you will want to work closely with the human resources and legal departments. ”

Prepare for culture shocks

One of the reasons insider threat programs can appear authoritarian is they are designed without the existing internal culture in mind.

When it came to managing insider risks at a former employer, it was common for me to run into cultural issues. We were always working closely with our vendors, many of whom were based in Silicon Valley. While discussing data risks with these organizations, we often learned that they did not have even the most basic controls pertaining to insider threat, including not bothering with employee background checks. They often didn’t understand who was joining the organization. “We trust our people,” they’d say. “We only hire the best, most talented people. Everybody wants to work here. Why would anybody do anything bad here?”

In building an insider threat program, you’ll have to deal with such cultural barriers, and the challenges to overcome them are real. Essentially, to overcome those challenges, you will need to convince staff and everyone throughout the organization that the focus isn’t on punishing people doing things they shouldn’t, but rather protecting the organization’s data and its business viability.

For those in regulated industries, this conversation is likely a lot easier to have with executives and staff. When you work in a regulated industry, it’s evident why certain types of data must be watched and protected, and it’s easier to extend that to other kinds of data.

For those working outside of regulated industries, where it’s not mandated that data be protected, it’s undoubtedly a much more challenging argument to win. But it’s an argument that executives will be receptive to if you explain the costs to the business associated with losing data or intellectual property that is important to the organization.  

Make sure the program is transparent

Another reason insider threat programs can appear oppressive is when they are built in secret. When staff are aware of the insider threat program, but they don’t understand why it is in place, they are more likely to grow resentful and even fearful of the program. Also, when staff aren’t at all aware about the insider threat program, they can be very brazen in taking data that belongs to the company. There is no reason to take either of these counterproductive approaches.

When organizations are transparent about the insider threat program and why it’s necessary, then staff, contractors, and business leaders will be more supportive of the effort to protect intellectual property and confidential and valuable information. 

Establish acceptable data use policies

Everyone will feel better about the program if they are not finding themselves second guessing whether or not they are acting within protocol. Are they permitted to use cloud storage services? If so, which ones? Can data be moved to USB devices and other local, removable storage devices? What about sharing data on corporate collaborative platforms such as Slack or Microsoft Chatter? What’s the policy for taking data home and/or keeping it on their notebooks?

Staff and contractors need clear demarcation lines of what is an acceptable use of the organization’s systems and data and who owns the organization’s data. Employees must be made aware of these policies.

Data risk will vary depending on the organization

The specific type of data that is protected will be dependent on the nature of the organization and the industry in which it works. The types of data and roles that will pose more significant risks will vary among different types of organizations. An aerospace engineering firm or defense contractor will have a different risk posture than a law firm, financial services firm, or pharmaceutical company. Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary.

“ Within all of these organizations, there will be a lot of targeted information that can be monetized and is important to the organization, but the nature of the data (and who can access the most valuable data) will vary. ”

Put the right data protection tools in place

Although much of your insider threat program will consist of data security policies and employee training and awareness, those policies will need to be enforced with technology. When considering the types of tools that will support your insider threat program, choose the best tools to provide the capability to detect, investigate, and respond to data breach incidents with the appropriate level of insight.

Another consideration is how well the tools you select will integrate within your environment. This must be viewed from the standpoint of how well it will work with both internal processes and existing toolsets. For example, if you have an established automated employee off-boarding process, can you connect to those processes so that you have timely, accurate insights into employee status changes? The same holds true when it comes to employee onboarding.

Provide ongoing training and awareness

Ongoing security training and awareness exercises are essential for maintaining good data security practices and muscle memory for all employees across the organization. If your organization has an existing security training and awareness function, you can integrate insider threat messaging into awareness exercises.

Incorporating insider threat scenarios into ongoing security training and awareness will also help employees understand the importance of the risks you’re trying to manage. This will help employees understand the rationale and can also create allies within your organization.  

Build a sustainable program that will change with the times

Just as your organization and business environment evolve over time, so will your organization’s risks. So, it is important to ensure that your insider threat program can keep pace with the changes in your business and risks. Fundamentally it’s about keeping your focus on effectively managing data exfiltration and insider risk as your organization evolves.

All of this may seem straightforward—and it is—but that doesn’t make it easy or swift to accomplish. Like so many effective processes, the important thing is to keep your insider threat program risk-based, aligned with your organization’s culture and nimble enough to evolve with your organization.  

If you’re building an insider threat program from scratch, start small, keep it simple and be open to making changes. Early wins are important and will help drive the success of the program. Furthermore, they will keep the support of executives and staff who understand that the organization’s long-term success depends on protecting its data. Because it certainly does.