Hardly a week goes by before another insider threat stolen data or espionage story hits our news feed. While the intentional or malicious insider threat events make the best headlines, insider threats can be a mix of intentional and unintentional employee actions. Studies suggest 50% to 90% of insider events involve negligence or lack of awareness with employees accidentally exposing data or violating security policies without intending harm. Root causes can include technical controls that are not aligned to established workflows, policies and processes that are out of date, and overworked employees responding to demanding managers.
At Everfox we pride ourselves on our deep understanding in the mission of managing the risks posed by trusted insiders. The need for effective communications in the Insider Risk Management Program (IRMP) is universally recommended by the usual authoritative sources. Carnegie Mellon CERT’s Common Sense Guide to Mitigating Insider Threats (Seventh Edition) (opens a new window) identifies “Communication of Insider Threat Events” as a vital component of the effort. The guide explains “event information should be appropriately shared with the correct organizational components, while maintaining workforce member confidentiality and privacy until allegations are fully substantiated.” Notice the focus on “events”. In fact, much of the guidance available across government and industry sources focuses on the event aspect of communicating. That’s unfortunate.
Sometimes overlooked by the IRMP Program Manager is the value a broader communications strategy can bring to the program. The National Insider Threat Task Force (NITTF) (opens a new window) offers insight on other objectives of effective program communications in its Maturity Framework. Maturity Element (ME) 7 (opens a new window) suggests that a communications plan strengthening the proactive posture of the program by promoting “an aware and properly trained workforce” is important to countering insider threats. But its value doesn’t end there.
Support building a culture of awareness across the workforce
An aware and engaged workforce is one of the most valuable sensors any insider risk management program can have and maintaining that posture requires deliberate effort that should be described in your plan. Borrowing from Department of Defense guidance, this effort can be characterized as a vigilance campaign that is “…an ongoing, continual communication program, using a variety of communication platforms such as posters, videos, briefings, and internet sites to keep Insider Threat Awareness and reporting requirements in the forefront for personnel.”
Employees should be encouraged to act on indicators and report concerns to managers, HR, or the program hotline. The engaged workforce also benefits the business with increased profitability, productivity, innovation and lower staff turnover and absenteeism. Disgruntled departing employees take data with them and have sabotaged information systems.
Dispel program myths
Your communication plan must also reinforce the foundational principles of governance and confidentiality of the user activity monitoring element of the IRMP to dispel any notion that monitoring is conducted by “cowboys in the basement” and instead adheres to accepted legal frameworks, such as the General Data Protection Regulation (GDPR) in the European Union and the Gramm-Leach-Bliley Act (GLBA) in the United States. These laws mandate that user activity monitoring activities be supported by a strong business case, proportional, and transparent to avoid infringing individual rights. Dispel the myth that the program is strictly a “big brother” surveillance effort and make clear how the program benefits the workforce. If your user activity monitoring solution is, wisely, not authorized for employee productivity monitoring, for example, be sure that myth is routinely reinforced in your communications campaigns and periodic “good news” anecdotes that illustrate how reporting has led to troubled employees getting the assistance they need. Supporting this strategy, we’ve seen some programs called “employee wellness and accountability program” and similar names that highlight the supportive nature of the effort.
And while maximum transparency is always best, the plan should also specify which components of the program are made public and which are known only to the IRMP team and senior management. Sensitive components of the program such as the specific behavioral indicators or data sources the program uses should not be widely disseminated.
Promote the program internally to sustain senior leadership support
We need more than bad news that repeatedly defines the problem. Monthly anecdotes highlighting employee dismissal or legal outcomes falls short of helping leadership to understand the value of their investment. Program success stories and periodic reporting must support and justify financial resourcing and continuous improvement through investment and outspoken support in the C-Suite and the Boardroom.
For example, senior leadership should hear value statements describing how the program is:
- Securing critical intellectual property at the backbone of current and future business, competitive advantage, and reputation
- Reducing employee stress by identifying inefficient or restrictive processes, delivering lower turnover of human capital, less disgruntlement, and lower insider risk
- Adjusting technical controls and policies to take into account different requirements and use cases across the workforce, strengthening security while optimizing business operations
- Identifying at-risk employees and engaging employee assistance programs to reduce risks such as disgruntlement that might lead to workplace violence issues
Several years ago, the Department of Defense published a series of insider risk best practices, one of which was titled “Strategic Communications for the Workforce”. In the guide you’ll find that some defense components lamented that most of their insider risk messaging themes were related to counterintelligence and unauthorized disclosures and that not enough communications were focused on positive aspects of the program.
Recall we’re managing broader risks such as:
- Insider trading, M&A non-public information handling
- Extremism, workplace violence
- Media leaks
- Corporate espionage
- PII and customer data spillage
- Sabotage
- Supply chain integrity
- Theft of trade secrets
- Fraud
- Regulatory Compliance
- Other negative behavior
Be sure your communications support the wide range of risks and are not just focused on the dramatic thumb drive even.
Help keep managers and supervisors on message
Behavioral psychologists and other insider risk researchers generally agree that supervisors and managers play a critical role in a successful risk management program. For example, Dr. Eric Shaw’s Critical Pathway to Insider Risk (opens a new window) describes his assessment that maladaptive organizational response can contribute to exacerbating the problem when management fails to act on reported or known insider concerns or reacts in a way that further fuels employee disgruntlement. Thus, it is important that supervisors and managers have exposure to consistent communication and messaging training. Leadership teams should reinforce the idea that the IRMP is managed and viewed as supportive first, and punitive only when necessary.
Support situational awareness among stakeholders during critical insider events
This is the incident response component we know all too well. The Carnegie Mellon (opens a new window) CERT Insider Threat Program Evaluation assesses whether a communication plan provides adequate situational awareness to the organization’s stakeholders during a crisis event, but it further evaluates whether it announces and promotes the IMRP internally. Interestingly, that evaluation criteria helps assess your program at “above average” if your plan hits the mark. Raise the priority of communications early or your program may never reach the proactive, above average level before it suffers budget cuts or diminishing leadership support.
Your Insider Risk Management Plan: Communications Plan must address the needs of the program before, during, and after critical events, not just during incident response. Engage your workforce sensors, train your managers to act, and sustain senior leadership support for the program buy highlighting the broad, positive impact the program is having on the organization, its employees, and investors.
Daniel Velez
Sr. Manager, Insider Risk Services
Supporting insider risk program development, improving Everfox mission-supporting technologies, and operationalizing those solutions to drive the outcomes organizations demand. He brings over 16 years of experience in the Insider Risk and Insider Threat space at Raytheon, Amazon, Forcepoint, and Everfox.