Industry Insights

Focusing on the human element of Insider Risk

5 min Read

Riley Bruce

Security Community Evangelist Manager

3 Takeaways from our conversation with Elsine van Os and Alex Gobbi.

Recently, we got the opportunity to discuss the human element of Insider Risk with Elsine van Os, Founder and CEO at Signpost Six, and Alex Gobbi, CMO at Code42. You can find the transcript for the full conversation below, but here are top highlights:

1) There is low hanging fruit. Grab it.

There are three places that organizations can begin to address Insider Risk even without a technological or program investment. They are:

  • Employee lifecycle management: Make sure to actually turn off account access when an employee leaves the organization. Additionally, during the course of the user’s employment, run regular audits for permissions and access management to ensure that permissions creep doesn’t leave your organization vulnerable.
  • Training and education: This is as true when talking about Insider Risk as it is for the rest of your information security posture. Arming your organization with the knowledge of risk factors and the proper methods of response is key to getting a handle on Insider Risk.
  • Contextualize and correlate: As was mentioned in a previous version of Code42 Live, your security organization will need mechanisms to collect and then view and correlate data points to ascertain when and if a risk has become a threat. This correlation may happen within your SIEM or other tools which you may already have in-house or with a dedicated tool such as Incydr.

2) The threat landscape is crowded (and getting more so post-pandemic).

Sync and share solutions, contractor and gig-work, millions leaving their current jobs, and geopolitical tension are all contributing to an increase in breaches caused by the actions of those on the inside. This is further exacerbated by the increased reliance on remote work and the distractions and lower visibility inherent to a distributed workforce. None of this is new, however, it is all combining to form a perfect storm for increased Insider Risk.

3) Where there are humans, there is chaos. Embrace it.

Not five seconds into the webcast, our host inadvertently exhibited this through an object lesson; he forgot to turn his mic on. Humans are not perfect, and especially after the past year, expecting perfection (in the form of restrictive policies and/or harsh enforcement) will likely backfire. When building out an Insider Risk Management program, make sure you take the human element into account and tailor your program to meet the needs of your workforce and culture.

For the full readout of what we discussed in the session check out the transcript below or watch the video here:

Tune into the next session of Code42 Live on June 22nd at 12PM CT to join a discussion on how to properly prioritize Insider Risk. For anything else, feel free to reach out to Elsine, Alex or Me on LinkedIn and we’d be happy to connect.

Video Transcript:

Riley Bruce – Welcome, everyone to Code42 Live. Today, we have Elsine van Os from Signpost Six and Alex Gobbi from code 42. And we will be talking about the human element to insider risk management. And one of those human elements is when the host forgets to press the mute button as the stream is starting. So that is something that.

Alex Gobbi – Keeping it real, Riley.

Riley Bruce – Yes, we are in fact live. This is not canned and if you need proof, that’s what you just got, I guess. So thank you both, Elsine and Alex for joining us today and everybody else who’s joining us live on LinkedIn, YouTube, or at code42.com/live. As you have questions and comments, please throw them into the chat or into the comments for the platform that you’re watching on And we’ll be sure to address them here on the, I’m just going to say program, show, on the stream, there we go, that was the word I was looking for. So first things first, we need to explain who these two human beings that we’re having a conversation with are. And Elsine, if you want to take a couple of minutes, talk about who you are, a little bit about what your work is and then maybe a fun fact or anything you want folks to know.

Elsine van Os – Yeah, Elsine van Os, great to be here and on the stream. And already seeing some nice starting points with the as you’ve mentioned. I’ll say at most, I’m a clinical psychologist by background but I’ve always worked in intelligence and security. I started in military intelligence and then set up our threat assessment departments for Shell International worldwide. And within Shell, I realized there were also issues within the organization itself. Which is very understandable for an organization of that size. And five years ago, I set up Signpost Six and that’s a training consultancy for insider risk management. To help organizing companies themselves around the subjects and I think that’s exactly what we’re going to discuss today as well.

Alex Gobbi – And Riley, you are on mute again.

Riley Bruce – I don’t think I am, hang on.

Alex Gobbi – There you go, now we hear it.

Riley Bruce – Nothing like live. So thank you, Elsine. It’s really wonderful to have you today through these tribulations. But Alex, do you want to share a little bit about who you are and maybe a fun fact?

Alex Gobbi – Yeah, great, thank you so much. And first of all, I want to say thank you for Elsine for joining us today. Elsine is on the other side of the Atlantic, very near to my home country. It’s something that Elsine and I share in common. So maybe I’ll start with the fun fact, Riley, Elsine and I both speak Dutch. She’ll say I have an accent, I’ll say she has an accent, but she’s from the Netherlands and I’m from Belgium. But we have connected not just on the insider risk management front but also on a personal front and just by ways of background. I’m Alex Gobbi, and I’m the chief marketing officer for Code42.

Riley Bruce – Yes, thank you. And hopefully I am not on mute this time and we can proceed forward with our first question. And it looks like we did have someone comment just saying hello on LinkedIn. So, hi, I hope I am not saying your name incorrectly but, hi Anneil, thank you for joining us. As you have other questions feel free to throw them on the comments there. And the first question that I have for Elsine here, and this is about insider risk management but specifically humans, is in what way do you see the threat landscape evolving over the past few years? And this is actually inclusive of the period since COVID but maybe even before that this shift seemed like it was already happening. And yeah, wondering what your insights are on that.

Elsine van Os – Yeah, thank you. It’s a very wide question because there are a lot of answers on a wide variety of levels to that question. I think in general, really the reliance on the, on data and digitalization has really made us much more vulnerable. And yeah, remember that’s in the past when we had data theft happening. And I think this was the case with Jonathan Pollard, who was spying for the Israelis at the time. He actually walked out of the organization with boxes of information. And now you can, you don’t even need to walk out with a USB stick. You upload it to the clouds and nobody sees it, nobody hears it, nobody sees it physically happening really. And that makes us much more vulnerable nowadays. Also, the amount of data that you’re able to move, but also where you’re able to move it and sometimes even putting it in the public domain for everybody to see, yeah, the scale and the impact is so much bigger. I think also, another thing that’s happening is in the world of cybersecurity there is an increasing amount awareness happening. There is some sort of a cybersecurity war that’s in fact happening. The stronger your external defenses, the more weaker you’re becoming also from the inside. And the targeting of individuals within organization can happen more and more with the stronger your other security measures are being. So that’s another thing that’s developing as well. And I think also really, if we’re talking about the human factor, which is also the topic of today, on the workforce level they’re really developing concerns. So, and then I want to point to more the hybrid short-term contracts. People moving in and out of organizations much more nowadays than in the past. And with people moving from organization to organization, there is enormous amount of data flowing out of an organization as well. So out of so many people taking data with them to their employers, with that sense of entitlement or doing better in a new job, et cetera. There are many reasons to do so, but the fact is that organizations are losing their information, they’re furious. And then, I think finally on a more global scale we see enormous amount of geopolitical tensions and that centers really around the retention of your data as well, and data thefts as such. So organizations are becoming more and more aware of these geopolitical tensions and safeguarding their data against that data theft aspect. And then on top of all of that, and then I’ll stop, is really the COVID-19 factor. And I think we’ve really seen an increase over the years already. And the reports have been pointing this out. But really in the last year with COVID-19 there are three really additional factors at play. One factor, there is really the push of users or your workforce to a more remote level. And also really the visibility of the employer on their employees working remotely, which is an issue in itself, but also job insecurity of employees. The fact that there is much more job insecurity makes its employees, are more going for themselves and their their own careers. Really looking for new jobs, and that makes them also vulnerable in that job markets, think of LinkedIn. Or also, other players are trying to recruit individuals within organizations, so there’s a lot of dynamics there as well. And then I think in the end, making mistakes multitasking is another aspect with people working remotely. Yeah, I think everybody’s been through processes of handling kids, handling really, a hybrid way of working. And we all know that with distractions, also more mistakes are being made. So these aspects I think have made organizations even more vulnerable than we’ve already had with all these other factors at play.

Alex Gobbi – What a comprehensive assessment, that is fantastic Elsine. I’d love to jump in a little bit on, one of the, or a couple of the things you mentioned. One is, you started with digitization, right? And just everything is data nowadays. And also this highly collaborative world that we have today. So I think about the enormous innovation that has been made to help companies and help employees get their jobs done faster and better. I’m using Slack today. I use a Google doc to collaborate with external parties. And so, you know, I’m just wondering, we have some data that shows that there’s this pressure right? And I want to dig into this cause you’re a psychologist, but our data shows that 36% of employees are actually feeling that the use of these collaboration tools, and this being remote I think exacerbates that, is often also making them more complacent. You know, not thinking about data security as much because there’s so much pressure to move fast and get things done. And I wonder if you’ve seen, especially thinking about the human factor, like that complacency that, well, I’m not going to be as diligent because at the end of the day, I’m making a trade-off of just getting my work done and fast and collaborating. Just wanted to know if you have any comments on that based on the work that you’ve done.

Elsine van Os – Yeah, I think that time pressures are never good to be compliant, in any case. Compliance also requires time to be really aware of the steps that you’re taking within doing your work properly. So I think also, if you have policies that you need to comply with, you need to provide your employees the opportunity to comply with these policies by being able to take the time to process this. I think most of the mistakes are being made by being impulsive and not getting the time to do things properly and overthink all the decisions that you’re going to make. So these aspects really play a role, I think, in making these unintentional mistakes. A mistake isn’t unintentional but that goes to the eventual insider threats.

Riley Bruce – Yeah, and that is absolutely the case. And I know Alex, we have a lot of data that said that is true. And also I want to get to a question that just came in from the chat that was related to something that you had said previously, Elsine. Which was to some of our viewers, it may be obvious what some of the geopolitical ramifications are right now, but do you have some examples of those geopolitical forces that are causing the change in the threat landscape that you mentioned earlier?

Elsine van Os – But the focus really is on the tech war that’s going on, and really the quest for technology and innovation. And that goes for, well, for instance the semiconductor industry that’s being regarded as in the eye of the storm and the battle for resources. So, and what you see there is enormous, at least enormous movement of personnel in all kinds of directions, for companies really scraping for that expertise, in any case. And again, there, you see that whole movement of personnel and losing data in general. And yeah, this is really, especially between the two geopolitical superpowers of the US and China. But of course, not exclusively because it’s playing out in these companies that are in the frontline of all of this, and these companies can be based anywhere in the world where they’re really ahead of the innovation curve.

Alex Gobbi – Elsine are there other sectors, you talk about the semiconductor industry and certainly we hear about that very frequently on the news. Are there other sectors where you are seeing the geopolitical pressures impact, and see, manifest itself in a rise of insider risk incidents? I’m thinking about energy or other types of, I’m just curious, if you’ve seen it in other sectors as well.

Elsine van Os – Yeah, definitely. I think what springs to mind immediately in the last year is the biotech industry and the pharmaceutical industry, and the race for vaccines. There’s been really increased tension and war playing out on the level of cyber threats, cyber incidents but also insider threats. And yeah, similarly also in the, at universities where a lot this is taking place in coordination with these businesses. So, that’s where you see really an increased amount of attention.

Riley Bruce – Thank you for that answer. And I think that I often, well, this is just me, forget about all the work that is happening at universities that obviously people, maybe it’s paid for by the governments that are trying to then get access to that through grants, et cetera, and that’s a fantastic example. The next question that we’ve got is, do you see a difference, and this kind of goes along with the geopolitical conversation, do you see a difference in the threat landscape and this change in insider risk between the US and Europe, either seen holistically together or separately, and then the rest of the world? Where are these changes manifesting primarily?

Elsine van Os – In general, we see changes happening in the awareness and the embarking on insider risk programs globally but definitely the US has made a starting point with this. At least from a concept point of view, for sure. So, insider risk management as a concept or insider threats as a concept, really originates from the US. It’s been Obama’s executive order in 2011 and the insider threat policy of 2012 from the US government that really kicked this all off. And then it trickled down into the industry as well and into various sectors. One sector is stronger than the other in terms of insider risk management maturity. So it’s also a sectoral thing. I think again, this all, also from a business point of view, this originated from the US. But we now see this also, more happening in Europe. So, in Europe businesses that are starting insider risk programs as well. Especially multinationals, or at least companies with a somewhat global presence, and having that geopolitical dynamic also in it. And then, if we’re looking at the differences in approach between the US and Europe, I think it’s slightly different. In any case, from a maturity point of view, it’s already a little bit more mature in the US but also I think in the US, if you’re looking at prevention, detection, response and recover, I think the focus is quite on detection as well, a little bit more, and maybe I’m exaggerating to just show the difference a little bit, but it’s more on the technical monitoring aspects as well. While in Europe, that’s pretty sensitive also in relation to GDPR. Of course, any each company is sensitive but sensitivities are stronger in Europe. So you have of course, privacy as a important consideration. And I think there, the balance with more preventative measures are stronger in place when embarking on an insider risk program. So more on the educational side as well, I suppose, if we look at the distinction there.

Riley Bruce – Alex, did you have anything that you wanted to add or ask there? I want to make sure in this case.

Alex Gobbi – No, not right now. Keep going with your questions or anything you found on the chat.

Riley Bruce – Cool. So I guess something that did come in from the chat is, do you have any specific examples of the differences that for instance, need to be put in place with an insider risk management program because of the existence of GDPR? You mentioned the education component is slightly different. Are there potentially technical or procedural differences between the way that those in the United States can approach this problem and those in Europe?

Elsine van Os – If we’re really looking at holistic insider risk programs, I think overall the, like I said the emphasis was a bit different. If we’re really looking at technical monitoring, and here you get a little bit into a dilemma. You can have technical monitoring in which you also incorporates contextual factors. So, HR related factors, so that you are able to paint a picture little bit earlier then when you are really at a late stage gathering hard facts and evidence of, yeah, concerning behaviors in your systems, if you will. And I think in the US you’re able to get more types of data, connect more dots while in Europe that is actually much more sensitive to do so. So there is more really focused on the harder facts, to gather the harder facts, but then, yeah, I was just saying in Europe, yeah people wants to be a little bit more on the prevention side. It’s, from a data collection point of view it’s more difficult to actually be on the prevention side of things. So, that’s the dilemma that you’re in. You want to collect as much relevant information and also contextual information, HR related information. Sort of, you’re able to intervene in an earlier stage with employees that are maybe in a difficult position but that means collecting information that is quite sensitive, and that’s the dilemma in Europe. It’s a little bit more difficult to collect that type of data. I hope that makes sense.

Alex Gobbi – I have a follow up question on that one. So we go back to the question of speed, right? Because at the end of the day, it really is about speed of detection and then speed of response in order to minimize the impact of any kind of data security event. Do you see what I would call a healthy debate and discuss happening in Europe between the commercial organizations, that understand this need for speed, and with the European government and certainly those trying to push for privacy and protection. Because both have merits, right? There is merit in both. I’m just curious, and I know we didn’t prep this question but I’m curious if you have seen kind of an effective at least, conversation happening there.

Elsine van Os – I don’t think that debate is happening on a governmental level. So on the EU level, no. On a governmental level, not necessarily. I think more wide, yeah, no. I will go down a completely different rabbit hole. So no, not really on a governmental level but in each company, that debate is definitely happening when that’s, when they’re considering implementing technical tools.

Riley Bruce – Yeah, the healthy debate and discuss can also be, that is, the euphemistic way of saying a good old fashioned ideological disagreement. So, thank you both there. The next question that we’re gonna talk about here are, what does a holistic insider risk management program mean? You kind of referenced that in your previous response but what is the difference between that and maybe the way that things are being approached now slash historically?

Elsine van Os – Yeah, so historically, I don’t want to take my old employer as an example, but I think that’s been, at each company it’s been more ad hoc responsive approach towards incidents as are coming on to your desk. So very responsive. Also more traditionally insider risk management was actually a little bit more stovepipe, responsibilities were assigned to different departments. Meaning measures and information flows weren’t coordinated. Yeah, that made actually that insider, the indicators for insider incidents were missed because everything was stovepiped in different departments. So holistic insider risk management means that you have one governance structure, you have different lines of information flows that flow into one single point where you can actually, where you’re able to analyze the different types of data. So, think for instance, of your technical monitoring tools and you get your red flags, you have an analyst reviewing these red flags, et cetera. However, you also have, for instance your confidential hotlines. You have your leadership in your organization or HR separately. It’s important to combine all of that information to make sure it comes together and you’re able to paint a whole picture. And I think that’s been the, really the detrimental sides of not having insider risk management in the past. And here I go to a parallel subjects of school violence, where you’re always talking about data but insider risk management is for instance also, workplace violence or school violence. And time and again, looking back at very serious incidents of school violence, there was so much information but that was all stovepipes, or yeah, scatters around the school system or even outside. It was a lot of information out there it was just not coming together. And holistic insider risk management is really focusing on bringing that information together and also implementing measures that are really focused on all these areas of prevent, detect, respond, and recover across departments. So it’s a quite a complex undertaking, I must say. And maybe, also good to elaborate a little bit on how do you even start with that? And yeah, we really think that’s you have to start with an insider risk assessment. Everybody always talks, risks assessments and everybody thinks they also do an insider risk assessment. But if you first do an insider risk assessment in a company you know, on all these aspects of prevent, detect, respond, and recover, across the lines of people processes and technology in the various departments, you have an understanding of what is the basis of the measures that I already have in place. Most organizations already do quite a lot but they just don’t have that full overview. So you need to be able to get that full overview on your organization to make a start at, okay, where are my important gaps? Where do I take my primary measures at this moment in time? And how do we then develop a full program to really make sure that we address insider risks holistically? You can do one thing but then you might be leaking in the other. So you can start your technical monitoring but we don’t do any screening of our employees. No pre-employment screening, no in-employment screening. We don’t even say goodbye to our employees. That’s all not managed, but we do monitoring. That’s just, that’s not going to cut it if you’re really talking about serious threats. So, that’s, long story short, that’s what I mean with holistic insider risk management.

Alex Gobbi – Great, Elsine I have a followup question, you talked about, and I like the analogy of the school, right? Where I was going to go with the question is, it often takes an incident like workplace violence, like school violence to have all the parties realize that they had, they just need to connect the dots, right? That’s often a trigger event. In the work that you do with other companies, are there other trigger events that you’ve seen that have shifted the focus to take a holistic approach to insider risk management, other than an incident?

Elsine van Os – Hmm, that’s a good question. No, well, generally it is indeed the incidents that make organizations realize and get started. It could sometimes be incidents with competitors that they see and they realize, oh we have to take measures ourselves as well. Sometimes industries do connect very well with each other, in the energy industry it’s definitely the case. Security is not competitive. So the security managers really do discuss this with each other and then take measures. Or at least, if one takes measures, it’s being discussed industry wide, and approach is being taken. But unfortunately, it’s most of the time incidents. And then you have to be, I don’t want to be too grim but you also have to be lucky that people want to learn from these incidents because all too often people are seeing an insider incident as this rotten apple within your organization. We throw it out of the basket and everything will be fine again. So to attribute meaning of rotten apple to one person committing an incidence is not very helpful because you need to be self-reflective as an organization as well, and learn lessons to really understand, okay, how did we contribute to this happening? And I think that is a really important one. And yeah, it’s all too easy to externalize what’s happening but then, internalize and take lessons that’s important. So yeah, on your question, are incidents most of the time the reasons we get started? Yes, most of the time and sometimes not even. So, I think it’s important to really learn from incidents. I think also we are in the process of more compliance with regulations. So that’s also coming up as an important factor.

Alex Gobbi – Yeah, what we see in our business as well is, we do see incidents. We also see a heightened awareness that restructuring, reorganizations or expected turnover, which is likely to happen now post-COVID when we’re going back to this new normal. Those can also be reasons to just be reflective and say are we ready for this, right? If we’re going to go through a massive transformation if we’re doing a merger or an acquisition of a company and employee is going back to the human element, right? Employees feel potentially, with their job, at risk, right? Or there’s, you know, the economy is doing well again and I may go look for another job. So those are the types of trigger situations that we often see as well is, organizations realizing that they need to look at their insider risk maturity, if you will.

Elsine van Os – Yes, you mentioned a very important factor which is organizational change. And Chris in the UK has done extensive research and provided guidance on insider risk and organizational change. It’s a very important factor because it puts pressure on the social contract between employer and employee. And I think I referred to that before already, as well, that employee loyalty is a critical mitigating factor for insider risk. And when the employee loyalty is not with the employer anymore, but with themselves because they are in the process of survival, then you’re losing that mitigating factor a little bit. Of course, there’s still other factors at play but that aspect it’s them being put under pressure. So yeah, it’s important consideration.

Riley Bruce – I actually have a follow-up to the question or to the statement that it, most of the time does take an incident. And we all, we understand that an incident should never be wasted, right? Like, you should capitalize on it, you should learn from it and then actually make it so that that same thing cannot happen again. But, and this is a question for either one of you, what guidance would you give to maybe those watching who understand that this is a problem, don’t want to get to the point of having an incident, and then want to get something started? Is there anything that can be compelling to the organization to do that without an incident?

Alex Gobbi – Elsine, why don’t you go first?

Elsine van Os – Yeah, I think I’m immediately thinking of the book, or the document from Matthew Bunn and Scott Sagan on the 10 worst practices guide. There are so many lessons that have been learned. And one of the first lessons is, don’t think it’s not happening within your organization. There is so much information out there, that, and I think so many people have some sort of experience with an insider threat. Not necessarily immediately materializing an insider X, but at least an insider threat. That it is happening in organizations. And don’t again, think only of data theft, but also think of these violence, or maybe a Me-Too situations, think of fraud, corruption, et cetera. So there are many different forms of insider X that could materialize in organizations. And also, don’t wait until it materializes anyway. I think organizations have a duty of care to really address concerning behaviors in the first place, in your organization. And to make really your organizational environments a healthy way of working in a safe environment. So I think from a duty of care point of view, I think it’s very important to at least, prevent or make very serious attempts at preventing insider X to take place.

Alex Gobbi – Yeah, I’ll jump in there with two thoughts. One is, you can’t fix what you don’t know or what you can’t see. And so I would say, just being honest with yourself, right? And having the visibility to data, both exfiltration as well as data infiltration because that can happen too, is really important. That will give any organization a really good baseline of you know, the effectiveness of their current security tools, of the level of adherence with compliance. So, I would just start with visibility, right? It’s the first step of everything, is just really getting a good-full landscape. It’s crazy, the number of organizations that we talk to that say, well, we block all our USB drives, so there’s no way that data is exfiltrating on a USB drive. And we offer them the visibility and they have that, aha, moment where they realize, oh wow, we do have data exfiltrating on USB drives, right? Which is, you think of that as a very historic way of moving data, yet it’s still happening. So, I would say visibility is probably the biggest area that I would look to.

Elsine van Os – Yeah, that’s a very good point. And a lot of organizations just don’t know and you first need to get that visibility as well. Another factor is, I think, be careful of not falling into the trust trap. That’s also a discretion that’s often held, but we trust our employees. Yes, you really should trust your employees but it should also not be a free-for-all. So yeah, I think often times in our workspace we call this trust, but verify. Trusting is very important and a cornerstone to work together. And you shouldn’t be distrustful or paranoid towards each other, but you should also be mindful that you need to look after your organizational assets. And that these things can actually happen. So, that you need to take measures to properly safeguard also your organizational assets.

Alex Gobbi – The other thing you talked about, Elsine, was culture. At the end of the day, how important it is to have a culture of transparency in an organization, a culture of trust, even though we have the trust, but verify, right? And we do believe, and I believe this personally as well, that there is a benefit of being transparent. Transparent with your employees and saying, look you are using one of our assets. Your laptop is an asset that is owned by the company. You are working on projects for the company and we monitor that. We look at what is happening. And I think employees understand that it’s not the, like big brother is watching everything you do and is monitoring, you know, every single keystroke you make but we are watching the data that is moving in and out of your end point and what you’re working on. And what we’ve seen is, in some of our customers actually a 75% decrease of just incidents, right? So because there’s a heightened awareness of, you know, well, I am being watched what I’m doing and it is in the best interest of the company, but also my ability to work effectively in this company. And I’m going to bring to your point of, I’m going to be just a little bit more cautious around what I do and not as careless. Cause a lot of, most of these incidents are really just employees trying to get their jobs done, and trying to get them done under pressure, working fast. So I do think, you know, how some of the insider risk management can actually drive a very positive culture in an organization that ultimately has as ramification a preventative effect is not negligible.

Elsine van Os – Maybe to as a parallel thing, because this is what’s happening in the systems. I think, if we’re talking about culture, I think a culture of constructive dissent is a very important one. So also interpersonal and the interpersonal work environments, and where people are working with each other and seeing also concerning behaviors or odd behaviors, being able to speak up and mention that people are actually going over boundaries. I think that is also a healthy culture that you want to stimulate as well. And sometimes very difficult to speaking up in organizations. So that’s the physical speaking up from, compared to the technical speaking up to say, hey, you’re doing something in the system that you’re not supposed to do. You have to also do that in a physical environment.

Riley Bruce – And I think that actually is a nice lead in, both for what you were just talking about. And the question is here, with Signposts Six, Elsine you predominantly focus on the human element and prevention of insider risk. What does that mean? We’ve been talking about some human stuff here and then, how does that translate into a corporate program?

Elsine van Os – Well, we do focus on full implementation of full insider risk programs because we do believe that you shouldn’t only focus on prevention, detect, but also in detection, response, and recover. That is really key. You’re never able to prevent everything and you shouldn’t have that illusion to do so either. But I think prevention is very good from a duty of care point of view that I mentioned earlier and from an organizational responsibility point of view. Plus, 97% of employees who committed insider X were already showing concerning behaviors prior to committing these acts or prior to even technical indicators. So, really there’s a lot of information that’s lost on an early level, and probably also in relation to organizations not knowing what to do with these signals. And that, really comes down to leadership and HR. To really understand what’s going on with my employees and how am I going to handle this, early. Because these signals, like I said, the 97% of the cases, so that’s all of the cases predominantly. There was already something going on. And also going back to that, connecting the dots, getting that information together, making sure that the information comes together, and leadership knows how to react, that is key in the focus of our programs, besides the full programs that we were talking about. But that really has our emphasis.

Riley Bruce – Well, I’m going to assume that Alex, you’re sated there and thank you Elsine. I think that did do a good job of explaining how we actually take thinking about the humans and then get actual policies and procedures in place within the corporate environment. However, the next question feeds off of that, and that is, what are three things or preventative human activities that you believe that organizations should put in place at a minimum, as part of their insider risk programs?

Elsine van Os – Yeah, so these three minimum areas are still big areas, I have to admit. One is employee lifecycle managements. So really from the recruitment stage towards onboarding, in-employment, but really don’t forget post-employment. It’s all too often that employees still have access rights or they leave in a disgruntled manner and then actually come back afterwards, yeah, committing an insider X. It’s really important that after care piece is really taken care of. Especially now, through all these organizational change processes. So that employee life cycle management is one. The second one is really training and education. Really, for all employees to really understand signals but also specifically, like I mentioned just now, leadership and HR but also professionals really in security. To really be equipped to deal with an insider threat evolving. And then finally being able to connect the dots. So if you have information points on concerning behaviors, or as we called So somebody already doing something wrong within an organization. Being able to gather the data, connect the dots, and have an appropriate response to this, I think that’s really the key. So these are the three areas. Life cycle management, training and education and connecting the dots.

Riley Bruce – Well, thank you for that. And I know that we are kind of coming up on the time that we had allotted. I’m going to check in the chat here quick and make sure there’s nothing that we missed. It doesn’t look like there was but thank you very much, Elsine for your time and, Alex for your insights and time as well. And everyone else, thank you for joining us today on this version of Code42 Live. We’ll be coming back in about two weeks and we will have another great session talking about insider risk management. Thank you again, and have a great day.

Alex Gobbi – Thank you, Riley, thank you Elsine.

Riley Bruce

Riley is a Security Community Evangelist Manager at Code42 where he enjoys educating Security and IT teams through engaging technical content and presentation. Previously, Riley served in both customer support and customer education roles at Code42. In his spare time, he enjoys photography, travel and relaxing at the lake in northern Wisconsin with his pug Mimi.