How security conducts employee investigations needs to change. All too often, security investigations are an attempt to get an employee to admit to suspected wrongdoing. Times have changed. Instead of investigating employees the same way we investigate threats from external actors, we at Code42 say it’s time to be more empathetic. By reaching out to employees with empathy, security is in a much better place to understand why employees are making mistakes and breaking policy. With this understanding, security teams can offer employees the assistance and guidance they truly need to make better decisions with company data. What’s more, understanding why employees do what they do provides much needed insight into where security policies and controls may need to adapt to the way business is really getting done. Approaching employee investigations with empathy is critical to the success of your Insider Risk program. We at Code42 call this – what else – Empathetic Investigations™.
Benefits of using an Empathetic Investigation™ Approach
- Get to the root cause of insider events sooner
- Reduce unintentional insider events in the future
- Create or maintain a positive security culture
How to use an Empathetic Investigation™ Approach
Empathetic investigations begin with an inquiry that removes pre-judgement and approaches the situation with a blank slate. With 78% of data exfiltration events caused by non-malicious or unintentional behaviors (Aberdeen, July 2021), more times than not, you will be connecting with a co-worker who’s just trying to get their work done, is making mistakes, or taking shortcuts to move more quickly than sanctioned apps allow. So treating them as though their actions were intentionally malicious is absolutely the wrong approach and could backfire.
This may take some practice for some of us who have worked in security for a while. Historically we’ve spent more time chasing outside risks so it’s become a natural instinct when we see a document moving to, say, a personal cloud drive, to think something malicious is going on and to want to confront the user. Or, if you’ve been using an EDR, an immediate instinct upon seeing an alert may be to expect the worst and then work backwards. But with most Insiders you pretty much have to turn that instinct upside down. Imagine you react in an accusatory manner toward someone and then learn that they are new and didn’t know or forgot it is against policy to move company documents to their personal email account to work on later. If there was any trust equity built up with your users, you would be at risk of damaging that and it will be a heavy lift to regain that trust. Distrustful employees could then be more likely to keep doing the same thing or worse, take high value files with them when they leave.
So we need to build a new habit of pausing before reacting too quickly and put our assumptions on hold until we can get more data – we may need to get it from the user. They are much more inclined to respond quickly and honestly if we have developed trust with them. This may require us to unlearn some previous ways of “digging into” investigations. Give yourself some grace, it will take time and practice but you’ve got to start somewhere.You may want to check out my previous blog on the The Three “T”s That Define An Insider Risk Management Program for more on building trust with your users and stakeholders to accelerate your IRM program.
Determine risk to guide a right-size response
Before any inquiry you will need to understand the potential risk determined by your organization’s risk ratings which include WHO took the action, WHAT was exfiltrated, and WHEN it happened to determine how to approach the employee or contractor. If it is clear that malicious activity has occurred, you will need to move right into your incident response plan. But keep in mind, situations such as a compromised account where the user isn’t guilty although the activity on their account certainly looks that way. And if there is any doubt at all, using empathy will help you sidestep wrongly accusing someone. Remember that you can always pivot to your incident response plan at any time as you gather more information.
If there is a chance this is just a result of human error or it is a lower risk situation such as a new employee saving their onboarding notes to their personal cloud account, you can move forward with the following steps. It may be so low risk, you may be tempted to not address it directly. But even with situations like this, you could use the situation to reinforce correct behaviors. In any case, remember that the words and tone you use will impact how your communication is received. If your program is ready for it, automating responses is a great way to allow neutrality in your responses so, for instance, the VP of Operations gets the same automated message as a mid-level manager.
Four steps to successful Empathetic Investigation™ Approach
Step One – Connect to understand
When an event happens, such as an employee moving company files to their personal OneDrive account, for example, we recommend that the first outreach to the employee using positive intent can be as simple as, “Hey, we noticed that you moved a document titled “XYZ” to your personal OneDrive account. Did you mean to do that?” and really listen to their response. The most likely response is going to be surprise, because they forgot or didn’t know that was a bad thing or maybe they needed to get their work done and that was the quickest way to do it.
Step Two – Reassure to support partnership
In any of those cases, you can move quickly to step two; if it was simply a mistake, let them know they are not in trouble. This is important because the employee likely believes they are, which, in extreme cases, can leave them wondering if they will lose their job and could lead to a natural human instinct to become defensive and deny the behavior. So it is our job to reassure them that this event can be reversed and you are here to help. By reducing the employee’s anxiety, they are more likely to be honest with you about what they were trying to accomplish and you’ll be better positioned to help. Perhaps there’s an existing solution they didn’t know about or access they can request to, in this case, another company approved cloud storage or sharing solution.
Step Three – Recover
Depending on what was moved and where it went, work with the employee to ensure the data is removed from the unsanctioned application or device swiftly. This is best done via a video call where you can ask the employee to share their screen so you can assist to make sure it is done properly. Use words selectively here so this request doesn’t appear to come off as, “We need to watch that you do this because we don’t trust that you will do it or that you even know how.” Eek.
Once that is done, if needed, you can send them a data destruction attestation to sign saying that they are not aware of the data residing anywhere outside the trusted network, in any form or fashion. Work with your legal team to establish when and how to use an attestation for your program. Here’s a template we provide to our customers to build upon for their organization.
Step Four – Educate
It’s important to provide the employee information on the RIGHT way to take action in the future. Providing guidance at the time of the error is highly impactful and more likely to be remembered than, say, an annual training. We call this just-in-time training and it works. Also, people are busy so if you want them to consume it, make it a quick lesson. We suggest a 1-3 minute training on the specific situation. Code42’s Instructor lessons were built specifically for this purpose.
Because today’s modern IRM program is a people-centric program, it’s important for analysts responding to events to be cognizant of their biases. As humans we have so many conscious and unconscious biases that affect our actions and decisions. To strengthen your empathetic investigations approach, consider working with your HR team to see if they have more information on how to explore your unconscious biases to ensure that those are not impacting how you interact with the various individuals across your organization and how you can potentially mitigate them. It will be important to treat all individuals equally, whether they are your peers, the CEO or someone in a group or culture you may not agree with. So be aware that HOW you say something can carry with it how you feel about the person or situation. This is part of being human so the more we know about ourselves, the better position we are in to practice empathy in our investigations.
Words and tone matter
Like we said, it will take some practice to become a true empathetic investigator but you’ve got to start somewhere. Here is a handy table showing different responses you can use that could either elicit defensive responses and undermine your efforts versus empathetic responses that work to your advantage.
|STEP||DEFENSE INVOKING RESPONSE||EMPATHETIC RESPONSE|
|STEP 1: Connect||You moved a company file to a personal cloud account. That’s against policy.||Hi! We noticed that a document titled, Onboarding Notes was saved to a non-corporate cloud service. Did you mean to do that?|
|STEP 2: Reassure||There are repercussions for breaking security policy.||Don’t panic, we’re not here to reprimand you, we understand that folks make mistakes when we’re moving quickly.|
|STEP 3: Recover||We need a Zoom call with screen share to watch you put it back and delete it from your personal service.||Can I set up a call to help you reverse this?|
|STEP 4: Educate||Due to this action, you are being assigned our Security Policy training and are required to complete it within the next 10 days.||We have secure ways to save and share data and it’s all summed up in a short training lesson that I’m going to send to you. Please let me know when you’ve watched it so I can answer any questions you may have.|
We’ve discussed what you will gain by responding with empathy to users who move data where it should not go. Building trust and respect with your users will be a key foundation to the success of your program. Connect with them at onboarding or at the onset of your IRM program and be transparent with them. This will pay dividends when you need information from them when responding to an event. Then using empathy, follow the key checkpoints of Understanding, Reassuring, Recovering and Educating and you will continue to build positive relationships with your users who will be much more likely to provide helpful context when you reach out to them and in the future, reach out to your team for assistance when they legitimately need to move data. This will build and perpetuate a positive security culture at your organization but best of all, it will lead to less and less exfiltration alerts for your team.
NOTE: The Empathetic Investigations Approach is a proven approach. Our Code42 IRM analysts, Brandon McHugh and Austin Wolf have been conducting inquiries and investigations in this manner since joining our IRM program in 2019. As an appreciative end user who has been on the receiving end of their Empathetic Investigations/Inquiries (yes, we are all fallible) I can attest that it was a refreshing and positive experience. So much so that we hope other organizations will adopt it. Of course, each program will be custom made for your own environment, but moving in this direction should provide positive results.
Based on Brandon and Austin’s fantastic work, we have developed training to help other IRM teams move into this new space of Empathetic Investigations with success. Here is a preview of our training to see if this is something that could assist you or your team.
Respond confidently to data leaks before the damage is done
As a data protection tool, Incydr provides a comprehensive understanding of your data exposure and shows you which activities require security intervention. Let’s work together to help your company secure the collaboration culture.