Most people intuitively understand what malicious insider risk is. It could be an unhappy employee looking to sabotage internal systems or leak confidential information. It could also be a financially distressed person looking to sell corporate secrets to pay off gambling debts or unexpectedly high medical bills.
Meanwhile, non-malicious insider threat, which is 75% of all insider risk, comes in three distinct varieties. According to MITRE, non-malicious insider threats include:
- Negligence by an employee whose inattentiveness leads to information spilling out where it should not.
- Mistakes that can't be attributed to carelessness, like posting confidential information in ChatGPT.
- Being outsmarted in a phishing attack.
It’s about the people
Insider risk is largely a people problem. Successful insider risk solutions focus on people, not technology.
First, because most insider risk is non-malicious, insider risk programs should focus on helping companies create a culture where everyone knows they have a part to play in keeping the company safe. Building that collective security culture requires trust, transparency and education. Because HR is largely responsible for the culture and training within an organization, and a large chunk of insider risk can be prevented through educational programs, HR needs to be heavily involved in insider risk programs.
Negligence and carelessness can be addressed by helping individual employees understand what is at stake and the critical role they play as part of a collective defense. While everyone makes mistakes, education is also part of helping employees avoid making mistakes that could put the company in danger. For example, it could be a reminder for individuals who are handling confidential information frequently to make sure they go through a checklist of all the cybersecurity protocols before posting content to the web or sharing confidential sales information.
Change management is hard
Instituting new programs is tough. Programs need champions, and they need champions at the highest level. New programs need someone to take ownership from inception through execution. Insider risk programs are like that as well. Fortunately, more boards are becoming aware of the importance of insider risk programs. As a result, buy-in for these programs comes at the highest level as many C-level executives now receive bonuses based on the cybersecurity maturity of their organizations.
The program’s success depends on finding the right internal champion and determining what department will own it. Not surprisingly, because insider risk is largely a people problem, many organizations have HR take ownership of the programs. Of course, IT needs to weigh in in terms of finding the best solutions. And legal needs to be involved because if an insider threat needs to be investigated, it has to be done in a way that is legal and will stand up in court, if it gets there.
Getting the right people to help people
Companies have dedicated significant resources to fighting threats, but they have only just now realized how much of a threat insider risk is. Nasty headlines have helped companies reexamine their focus. While it's tempting to treat insider risk like many other cybersecurity problems, as largely a technical problem, inside risk is primarily about people. Non-malicious insider risk can largely be addressed through a change in education and culture within an organization. Technical solutions are required to buttress the culture and education fixes that mitigate insider risk, but they should support the insider risk program — not be the lead.