Five pitfalls to avoid when building your insider risk program
Insider crimes are a very real and costly problem for companies—often more costly than high profile cyberattacks. Despite continued investments in security measures to control and monitor access to sensitive data, more organizations feel vulnerable to breaches caused by insiders. In fact, according to a recent survey of security professionals conducted by LinkedIn’s Information Security Community and Crowd Research Partners, 74% of respondents say their organizations are vulnerable to insider threats, and 56% say insider threat incidents have become more frequent in their organization in the last 12 months.
The good news is that with a well-designed, well-implemented Insider Risk Program, companies can greatly reduce their likelihood of compromise. By using the latest threat detection tools and properly training employees to safeguard information and recognize anomalous behavior, a company can more effectively deter, detect, and respond to internal risks.
Securing Your Organization with an Insider Risk Program
If you’re just getting started, there are a number of resources on how to build an effective Insider Risk Program, including our white paper, 8 Components to Develop a Successful Insider Risk Program. In contrast to best practices, there are some common pitfalls that we have identified in our work building insider risk programs that can derail your efforts.
Pitfall 1: Having Too Narrow a Scope
The goal of an Insider Risk Program is to minimize the cost of insider risk in the organization. A narrow focus limits the program’s ability to accurately identify insider risk across the enterprise.
For example, focusing heavily on tracking file movement can cause other important activities, such as changes in an employee’s user activity, to go unnoticed. An enterprise-wide approach that looks at multiple data sources will help the program to accurately assess and mitigate insider risk.
An additional benefit to a properly-scoped program is the ability to verify employees’ compliance with information security policy across the organization. An enterprise-wide view allows the program to recognize and respond to employees who access information unrelated to their normal business activity.
Pitfall 2: Overreliance on Technology
An Insider Risk Program is as much about the people as the technology. Today there are hundreds of insider risk solutions available. For an effective program, we recommend you understand your organization’s business processes and culture, as well as establish a baseline of employee behavior. If you install a set of monitoring and security tools that don’t align with your culture or process, you’ll quickly run into problems and find your program has become too costly to operate.
Another important component is appropriate staffing and training. All the technology in the world is useless without the right people in place to configure and operate it. In addition to training program staff, training employees to securely handle information and recognize concerning behaviors is a valuable method to prevent and detect insider risk.
Pitfall 3: Lacking a Clearly Defined Mission
It is important to define what Insider Risk means to your company and then continue to refine that definition early and often. This includes clearly defining the scope of the Insider Risk Program, as scope creep can slow the implementation of the program due to a focus on non-essential tasks. Once the scope is defined, it is important to understand how changes to the scope impact requirements for software, hardware, and staffing before expanding the program.
Pitfall 4: Ignoring International Laws
International firms must consider the implications of starting a program outside the United States. There are serious consequences to ignoring international laws, including losing up to 4% of an organization’s annual global turnover. While Insider Risk Programs should minimize the cost of insider risk to the organization, severe penalties may eliminate any savings gained from the program.
We recommend consulting the organization’s legal counsel to ensure international deployments are compliant with relevant export compliance and data privacy laws, including the European Union’s General Data Protection Regulation (GDPR). With so much at stake, it pays to take the time to deploy correctly and by the book.
Pitfall 5: Forgetting Existing Resources
To gain and maintain support for the program, the program should show a positive return on investment. Existing organizational resources will reduce costs and allow you to build on mature and reliable processes. Some examples include:
- employing data from cybersecurity, IT, or other divisions
- using an existing incident response program
- tapping departmental processes, information, and expertise, such as legal, HR and security
In mature organizations, insider risk programs should take care to not duplicate business processes that already exist within the organization. This is costly and inefficient and detracts from the program’s ability to focus on its core competency: mitigating insider risk.