Every generation has lived in ‘unprecedented times.’ The variables are constantly changing. Currently, there are a few factors that can make it even more tumultuous if business security is a top concern. But it’s not all bad news. There are steps and considerations security leaders can take to protect financial and intellectual assets.
The past three years have seen a rise in sanctions and political pressures, waves of recessions and higher employee turnover. The attack on the power grid in Moore County, North Carolina and the leak of information from the Supreme Court show the immediate and impactful information can be in the wrong hands. According to a recent report, insider threats accounted for almost 35% of all unauthorized access threat incidents in Q3 of 2022. The danger is real, so what can be done about it? It comes down to the design of an organization’s insider threat program (ITP).
When thinking of ITP design, it’s easy to assume it comes down to layers and redundancy, such as two-factor authentication, data loss prevention and other technical stopgaps. The heart of the matter is much more human.
Get support/buy-in from the right C-level member
A program is only effective if it’s utilized and supported by the company, meaning executive leadership is needed onboard and actively participating. The most crucial indicator of a successful ITP is the level at which the executives are engaged.
The specific title may vary. A chief operations officer or general counsel are often the best candidates with broad organizational positioning — allowing them and the ITP to receive the support needed to be effective.
Recognize a potential threat, make a change
Seventy percent of all insider threat cases relate to some kind of financial motive. Understanding the different financial and compensation structures that impact different teams is an excellent place to start. At big banks, traders have different financial incentives than most other employees. The same can be said of many business development executives in a large number of corporations. Recognizing these disparities in incentive structures may increase risk and taking actions to decrease the likelihood of threats makes sense.
Where most ITPs miss the mark — not understanding culture
The topic of corporate and/or team culture is rarely mentioned in the context of recognizing and addressing insider threat issues. Organizations are complex and the factors which contribute to corporate culture — the shared attitudes, values, goals and practices — are complex and intertwined as well. An effective ITP incorporates the review of organizational practices which may increase risk for potential for insider threats.
Such reviews may discover policies which inadvertently benefit one employee group over another, thereby increasing tension within the work groups, such as the financial incentive programs mentioned earlier. Another example may be circumstances where one set of employees has unrecognized access to corporate trade secrets or sensitive intellectual property.
Successful approach means realigned focus with intent
Effective ITP’s are lead from the top of the organization, focus on the employees and technology provides key support to identifying potential risk and assisting in understanding the context within which employees work. Any company can suffer a catastrophic loss from an insider incident. The risks are too great to not take the time to be deliberate in developing an ITP.
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.