Reducing the Impact of Unmanaged Insider Risk Through Continuous Evaluation
Workforce risk is continuously changing, so why rely on pre-employment background checks alone?
Every day in businesses across industries, there are myriad negative events occurring within a company’s workforce, which can include full-time employees to part-time staff and contractors. These events can range from absenteeism, performance issues and complaints from peers to cybersecurity infractions, control access violations and physical crime. Often, these events are benign and have little impact on the company. But, in other cases, they are highly detrimental and can result in many millions of dollars in losses. They can go against the company’s policies or even against the law. But, one thing is usually common across all of these events. Typically, the company finds out about the unmanaged risks ONLY after an event has occurred. By then, the unfortunate damage is done.
The ability to proactively evaluate, diagnose and mitigate workforce risk by knowing and understanding all risk factors is critical. Companies must move from a reactive to a proactive workforce risk management approach. The days where risk management is only associated with IT and financial monitoring are over. Leaders now know it takes a C-level focus across the entire enterprise including security, compliance, technology and human resources to truly address workforce risk.
Unmanaged Workforce Risk is Bad Business
Workforce risk lacks attention even though it is associated with the most expensive and vital asset at any company: the employees. Knowing the risks that employees can pose is critical for CSOs, CROs and other executives looking to implement comprehensive risk management and mitigation programs. These programs are a key to any company’s ultimate security and revenue assurance.
The business impact of an unmanaged workforce risk is significant. The average U.S. company loses approximately five percent of its annual revenue to white collar crime committed by its own employees. And, those risks increase by level of employee. Median business losses caused by executives are 16 times those of their employees. And, the average loss caused by managers is four-times those caused by employees. Organizations have an obligation to manage workforce risk. They need to ensure the safety of employees and customers, while protecting their brand and reputation. Companies need to guarantee financial well-being and comply with federal and state regulations.
The Answer is Continuous Evaluation
How do organizations manage this risk today? Background checks are commonly used prior to onboarding employees. Occasionally background screens are conducted periodically afterwards. These static snapshots do not address the dynamic risk presented by a workforce, especially as mobile and digital blends work and life.
The monitoring of device and network access is also commonly utilized to evaluate workforce risk. While the importance of strong cybersecurity protections cannot be underestimated, there are proactive insights that can be gained by broadening security’s focus. The monitoring of device and network activity only demonstrates already existing internal issues or abnormalities. This will not provide insights into potential risks to an organization which are driven by an individual’s actions outside of work. Understanding holistic workforce risk, inside and outside the company, is required to reduce the impact of insider risks.
Continuous evaluation helps organizations understand the risk of their workforce. This enables them to take the most appropriate mitigation steps based on corporate policy and business regulations.
Continuous evaluation is the proactive, accurate and actionable assessment of risk causing events in a workforce which are business-relevant and privacy-centric. Continuous alerting of such events shifts an organization from reactive responses to proactive mitigations. This benefits both the organization and the individuals within the workforce. Learning about major risk events as they are actively occurring enables an organization to see potential risks as they build, while there is still time to intercede with employee assistance prior to any negative impacts.
The need for accurate, complete and actionable insights is obvious, just not easy to accomplish. Acquiring and aligning accurate, complete external events to the correct employee identity, on a continuous basis, requires sophisticated data integration, event categorization and identity matching capabilities. Many organizations attempt to manage workforce risk with raw or simple data feeds, which shower them with substantial amounts of data. But this does not support accuracy or completeness, causing significant false positives and false negative events. Having to investigate false positive events wastes time and money. Missing events – false negative events – defeats the purpose of having continuous evaluation. Without accuracy and completeness, the company cannot have actionable insights to reduce workforce risks.
Business-relevant and privacy-centric insights go hand in hand. Different companies and even different employees within a company may have different risks. Having insights on the types of risks that are relevant to your business and to the specific roles within your business, enables the efficient management of risks. Being fed any type of external event data for an employee, regardless of business or role relevance, not only creates needless noise and costs, but also creates employee privacy issues.
No Company is Immune
Many companies take a “it will never happen here” mindset to insider threats because they believe they hire the best, most honest and trusted employees. While they may have initially hired “the best” employee who had a bulletproof background screening years ago, there can be many stress factors in an individual’s life which occur post-hire. Those stressors can include a difficult divorce, a DUI or assault charge or some other type of arrest, a bankruptcy or lien – the list is endless. Most of the time, these stressors are external and out of sight of the employer. However, in some cases, these stressors can lead to or exasperate motives and pressures which cause events internally at the organization. Gone are the days where executives can say “we did not know” an employee was a risk or harm. Consumers, clients, regulators and the company’s own employees expect the company to apply the same level of rigor they use to evaluate the risk on other critical assets to evaluate their most important asset – their workforce.
Misinformed and unschooled executive teams believe that evaluating their workforce’s risks would negatively impact their company culture. Quite the opposite is true. The majority of any workforce are hardworking, dedicated individuals who have a vested interest in the success of the company. The understanding that a company wants to ensure everyone else around that dedicated individual is working for their best interests is reassuring.
Knowing the critical components to enable the effective and efficient continuous evaluation of workforce risk, the final question is: what tools are needed to acquire success? As mentioned previously, many companies believe continuous evaluation can be achieved with simple refreshed data feeds. This provides reams of data but will not create actionable and relevant insights. To mitigate risks before they impact the business, I recommend the utilization of a purpose-built platform that performs heavy cognitive actions on the back end. These include:
- Algorithms for standardizing records, categorizing events and matching identity automatically;
- Notifications and alerts of significant events delivered through an easily accessible portal so that risks can be quickly identified;
- Enabling proactive policy enforcement and ensuring that employee assistance programs (EAPs) are effectively used and risks are mitigated before they impact the business; and
- Generating customized reports on the entire workforce or on specific populations to help employers with a macro-level understanding of their risks.
If your company is ready to evaluate the risk profile of your most expensive and vital asset, you should ask yourself a few questions: Do you have a solution to truly evaluate that risk and not just at certain points of time and with internal data assets? Can you continuously monitor employees with a holistic view of the workforce risk? Don’t fall for the frequent misconception that continuous evaluation is the continual application of a background check. The corporate ecosystem is littered with companies that made that very costly mistake.