Insider threat programs are built to help organizations protect themselves against insider threats, obviously. But how often are those same organizations asking their employees to help in their crusade? Seems a bit ironic, since the “insider” is someone with approved access. It could be an outsider who wrongfully gained credentials, but more times than not, it is an employee doing something with data they shouldn’t, either with malicious intent or through negligence or error. Studies show that 68% of all insider incidents are due to negligence or error.
Switch the narrative
Many security organizations are still trying to “catch” nefarious data exfiltration activities by using data exfiltration tools as well as training employees to watch for indicators of an inside threat in their coworkers and then reporting them to management. Those indicators include a coworker demonstrating any of the following: financial difficulties, gambling, poor mental health, acquisition of unexpected wealth, irregular work hours, the list goes on. Instructing our employees to monitor and report on one another, in my humble opinion, works to further divide a company culture.
And it seems like the hard road to take. It’s as though our employees are our adversaries instead of our trusted partners. I propose we, as security teams, switch the narrative and our tactics to turn our employees into our greatest allies and assets within our insider threat programs.
Transparency from the start
First, instead of hiding the fact that we are monitoring employees through our security tools, fill them in on what you are watching and begin to build a trusting relationship with them. In return, ask for their support in helping to protect the company. After all, everyone wants the company to prosper because it benefits us with continued employment, development opportunities and pride in working for a sound, growth-bound organization. Be transparent with employees on day one in new employee orientation. By talking about what you are watching and sharing your expectations, you set up your employees for success. Unilaterally, it also helps minimize events the security team has to investigate due to negligence and errors. Employees will know straight away that you will respect them by assuming positive intent, that you will be transparent, and that you do not wish to sit back and hope to “catch” them.
Build your program
The next step is to review or build out your insider threat employee training. Based on this new paradigm, we can move away from coworkers reporting each other and instead outline what we need them to do to better protect the company. Invite employees to engage with the security team if they have questions about what data they can move and what apps they can use to store data. Provide them with more solutions to keep data safe. If you have a USB policy where your ports are still open, encourage your employees to reach out to you if they need to move data onto an external drive and perhaps provide them with a company authorized thumb drive. If you utilize a tool like Code42 to watch for data movement, ask employees to let you know when they need to move data so that the system doesn’t flag them. Then, when they reach out, reward them with praise for partnering with you, for minimizing the security team’s workload and for helping to keep the company and its data better protected. Doing this reinforces the seed you planted on day one — that partnering with security is a win-win for all and increases the chance employees will reach out to you next time, too.
By removing instances of employee negligence or error, the security team can now focus on real, malicious threats within the environment. While living in a world where we assume positive intent unless proven otherwise may seem Pollyanna-ish, it aligns with a cornerstone of democracy where we are assumed innocent until proven guilty.
If you’re starting an insider threat program, we recommend checking out our new video, created for organizations to share with their employees, along with the outline below of how employees and security teams can work together.
Declaration of Security Interdependence
We the People
- Are working hard at what we do so we can do it better and better
- Are usually not focused on the security policy, every second of the work day
- Want one place to go for our security questions and concerns
- Cannot possible remember all the bullet points in all our compliance trainings (e.g. compliance & ethics, HIPAA, PCI, Privacy, OSHA, non-discrimination, sexual harrassment and more)
- Are busy, often putting in well over 40 hours in a work week
- Want to be seen as trusted and well intended
- Want to partner with you, not be seen as an adversary
- Do not wish to cause harm to the very employer who supports our livelihoods
We the Security Team
- Need to hear you, know you and understand your roles
- Need to make security more simple
- Need to make trainings more enjoyable and memorable
- Need to understand not everyone is a security expert
- Need to understand that working together is more successful than working against each other
- Must assume positive intent when we see you do something “wrong” until it is obvious there is malintent
- Need to work hard to make our relationship trusting, supportive and strong