Written by: Bret Arsenault | c.2023 Harvard Business Review
As the digital world continues to grow, so do the volume, variety, and velocity of cyber threats and attacks. The world is awash in data, and there is always someone trying to turn it into their own virtual currency.
Today malware and ransomware are hitting everything from our personal cell phones to mission-critical infrastructure and supply chains. Whether it’s phishing, smishing, or vishing, attackers are getting more sophisticated too, using details about our personal and work lives to tempt us to share our data.
But in a world where everyone is a target, companies also need to understand their exposure to risks that come from inside their organizations. Today more than 300 million people are working remotely — creating, accessing, sharing, and storing data wherever they go — and data breaches arising from insider threats and simple mishaps can cost businesses an average of $7.5 million annually. Consider the 2022 data breach of Cash App, where a former employee accessed customer financial reports after being terminated. The breach likely affected 8.2 million current and former customers.
Ultimately it doesn’t matter if the breach was intentional or accidental. Insider risk programs should be part of every company’s security strategy. To be successful, organizations should lead with their employees as partners in the effort and supplement their program with advanced tools that detect and mitigate insider risks wherever they arise.
Here are four lessons I’ve learned as CISO at Microsoft, managing our insider risk program as it grew from a small internal initiative into a business unit that reports to the CEO.
1. Prioritize Employee Trust and Privacy
This point comes first for a reason. In business and in life, trust is the key to any functioning relationship. The best insider risk programs emphasize the balance between employee privacy and company security. It’s critical to come up with privacy controls and policies that maintain, and even boost, trust.
Setting up tools to indiscriminately sift through employee activities for wrongdoing is not only ineffective and counterproductive — it’s just plain wrong. It’s an invasion of privacy that creates anxiety and erodes the relationship. Organizations need to be able to detect insider risks, but they need to do it the right way, acting transparently and within a narrowly defined scope to demonstrate respect and extend trust to employees.
Setting up privacy controls that protect identities at work — even during investigations — lets people know you’re protecting them too. Using role-based access for insider risk management tools also helps ensure that the right person is reviewing compliance alerts, keeping unwarranted suspicion from creeping into the organization.
2. Collaborate Across Functions
While IT and security groups will lead the way, insider risk is a business problem that involves the entire company. At Microsoft, we learned this over time. What started as an initiative in our security organization evolved into a unified effort across the business groups, including legal, HR, and senior leadership.
This broad involvement helps ensure wider buy-in and provides additional perspectives and resources, such as the legal department prioritizing emerging regulations and HR facilitating training programs and surveys. An insider risk committee or ombudsperson can help get the conversation going. One of their first tasks should be creating a response plan that outlines how information is shared, when and what each group contributes, who makes which decisions, and who is accountable.
It’s also important to have shared goals with clear measures of success. You can fine tune the process by quantifying key metrics such as the number of cases raised, the true positive and false positive flags, and actions taken as the result of findings. If you have a high number of false positives, you risk burdening your HR and legal teams with unnecessary and expensive investigations.
3. Recognize That Employees Are The First And Last Line Of Defense
Getting employees to engage with data protection and compliance training can be challenging, but it’s important that they know how to mitigate security risks and why it’s a priority. Trainings that emphasize stewardship of data show that the organization is extending its trust to employees as they serve the business.
Train people on how to handle the organization’s data properly, and repeat that message regularly so it’s always fresh. It also helps to make it personal. Most people immediately understand and engage on how to protect their own financial and health care data. Infusing a personal aspect into the training connects the dots on the importance of data protection for the business as well.
Training people on the principle of “see something, say something” in a risk-free way is a critical capability for an insider program. By improving data security education and training, companies can empower employees as a first and last line of defense that is complemented by detection tools.
4. Use Machine Learning Tools To Do More With Less
Gartner defines insider risk management as “the tools and capabilities to measure, detect, and contain undesirable behavior of trusted accounts within the organization.” And insider risk management tools have gotten much more precise and effective in recent years.
Older tools tend to overlook subtle indicators that can identify a bad actor trying to hide their tracks. They also often feature overly strict controls that lower productivity and encourage workarounds. Today a new breed of insider risk management tools is emerging with adaptive security capabilities that can detect risky activities and mitigate any potential impact while staying out of the way and keeping user information private.
Where an activity like printing a confidential file might not show intent, a sequence of connected activities like renaming the file and then deleting it after printing could indicate something more serious. Using machine learning, these tools can separate the signal from the noise and identify subtle actions, reducing the false positives that can bog down the organization.
A Successful Insider Risk Program Focuses On The People, Processes, And Technologies
Managing both internal and external risks is vital to the security of any organization. Each comes with their own challenges, but what makes insider risk management especially tricky is the need to balance people, processes, and technologies.
Powerful tools can help impede, detect, and respond to insider risks — but they won’t address the root causes. That’s where detailed onboarding, security trainings, team-building exercises, and work-life balance programs are useful. Building a healthy work environment helps reduce the risk of an employee intentionally engaging in dangerous behavior. But at the end of the day, striking the balance between people and technology matters most of all. Risk management has to be proactive and continuous, and it takes trust, transparency, and collaboration to keep that engine running. This philosophy — people first, backed by powerful technology — is the only way to prevent incidents before they happen, detect them if they do, and respond to them quickly and effectively.
Bret Arsenault is Microsoft’s chief information security officer, responsible for enterprise-wide digital security and resiliency.
For more great articles, go to HBR.org.
c.2023 Harvard Business Review. Distributed by The New York Times Licensing Group.