8 minute read 14 Jul 2022
Colleagues discussing at meeting

How leading organizations tackle insider risk

By Lou Bladel

Managing Director, Assurance, Forensic & Integrity Services, Ernst & Young LLP

Former FBI special agent with over 26 years of investigative and leadership experience.

8 minute read 14 Jul 2022

Show resources

  • How leading organizations tackle insider risk (pdf)

With insider risk incidents growing 44% since 2020, businesses must actively protect themselves from the damage these risks can inflict.

Questions to ask

  • Can your organization defend itself against insider risk?
  • What steps should an organization take to mitigate insider risk?
  • How can an effective insider risk framework protect an organization?

Insider risk comes in many guises. At one extreme are state-sponsored programs focused on obtaining, legally or otherwise, technology and intellectual property (IP) from foreign companies and governments. Harvard University chemistry professor Charles Lieber participated in just such a program, to his cost. In December 2021, he was convicted in federal court of illegally concealing his links to the Thousand Talents Program, a Chinese government initiative to recruit people to obtain IP and foreign technology for China.Prosecutors said Lieber hid from federal authorities the money China paid him to publish articles, organize international conferences and apply for patents on behalf of Wuhan University of Technology. Lieber is pursuing an appeal.2

At the other end of the spectrum — and occurring with much greater frequency than malicious exploits like the one described above — are employees who have been working remotely since the onset of the COVID-19 pandemic. Those employees may not realize that their laptops, tablets or smartphones may be storehouses of their employer’s proprietary information, even after their term of employment has ended. Or they may feel entitled to retain data they helped to design or implement. They might not consider that information in their possession could be misused by a malicious actor in a way that negatively impacts the confidentiality, integrity and availability of critical company data assets.

With insider risk incidents growing 44% since 2020,3 the need is clear for businesses, especially those whose strategies rest on a foundation of IP and proprietary data, to actively protect themselves from damage that insider risks can inflict. To help companies defend themselves, EY teams have developed a holistic approach to insider risk. EY professionals can provide clients with industry insights, leading practices and technology solutions needed to implement enhanced security programs effectively, using digital tools from vendors such as Microsoft and adopting innovative technology solutions such as user and entity behavioral analytics (UEBA). Those methodologies and digital tools support experienced IT professionals, HR managers and compliance officers in identifying data usage patterns and behavioral anomalies that warrant a closer look.

 

(Chapter breaker)
1

Chapter 1

How closely does your organization track insider risk?

Insider risk managers should take a full inventory of their organization’s IP assets.

The first step toward managing insider risk is to cultivate awareness of potential insider risks across the full spectrum of an organization’s activities. That awareness promotes a proactive stance toward such risks — a stance that most businesses already take toward external risks.

Several recent developments have intensified the urgency of broadening business’ approach to insider risk. One is the growth of programs organized by some governments to obtain IP by fair means or foul; the Thousand Talents Program is an example of such an effort. Another important development is the influx of employees shifting from traditional, longer-term tenure expectations at a single employer to a workforce with less organizational loyalty. They may take a more casual view of IP integrity and information security. But the most significant development is the COVID-19 pandemic and the resulting massive shift to remote work, which has introduced a wide array of new vulnerabilities for risk managers to address. For example, remote work has sharply reduced the number of face-to-face interactions in the workplace, which often is where possibly significant changes in an employee’s behavior or attitude first appear. In place of such interactions, risk professionals have stepped up their reliance on technology-assisted behavioral assessment, applying the techniques of external security programs to insider risk.

Just as with external threats, companies cannot mitigate internal risk simply by out-designing or out-developing malicious actors. Instead, a growing number of organizations are setting up dedicated insider risk teams to aggressively address insider risk before it strikes. Typically, such teams consist of stakeholders from across the organization — including representatives from legal and compliance, HR, IT, finance and other departments — collaborating under the leadership of a single lead, who owns the program and is accountable for its performance. To an increasing extent, such dedicated organizations are responsible for acquiring the technology necessary to do their job.

Or not acquiring it, as the case may be: many organizations are discovering that some of the security tools they already have in place can be adapted to addressing insider risk. In most cases, however, organizations lack the complete array of necessary tools. Many need to supplement their existing technology with components designed expressly to detect insider risk, such as UEBA; enhancements to physical security (workplace violence, after all, remains a salient form of insider risk); and capabilities, such as CCTV coverage of photocopiers and other office equipment. Veterans of insider risk engagements note that while many companies are effective in some aspects of insider risk management, few possess the full spectrum of necessary capabilities, skills and technology.

An effective insider risk program, however, is more than the sum of its technological features. It is a comprehensive framework that leverages technology to address insider risk along multiple dimensions. The framework enables an organization to prioritize risk mitigation activities to protect an organization’s most valuable and vulnerable data assets, and apply human judgment to distinguish between genuine threats to IP assets and “false positives” generated by random variations in data flows.

(Chapter breaker)
2

Chapter 2

Steps to mitigate insider risk

Success requires visible leadership support, plus funding, talent and technology infrastructure.

Merely establishing an insider risk program is no guarantee of success. A common complaint among former law enforcement agents recruited to develop such programs is that that they often begin and end with the appointment of an executive to lead the effort. To be effective, experienced insider risk professionals say these programs require visible support from senior leadership and the funding, talent and technological infrastructure needed to succeed. The digital tools, data and expertise needed to counter formidable state-backed adversaries form the core of that infrastructure.

The professionals further recommend that insider risk managers take a full inventory of their organization’s IP assets, and work to ensure that management can see every feature of the IP landscape. They should also shape their program along the contours of the company’s culture, recognizing that the high-security, surveillance-intensive environments typical of defense contractors may be ill-suited to more informal, entrepreneurial organizations. And of course, while protecting their data assets, companies also need to remain within the bounds of data-privacy laws and regulations.

Consider these steps to counter insider risk:

  • Do not just appoint a director of insider risk; give the director the organization, funding, performance metrics and visible support from the top.
  • Continuously assess your insider risk technology stack to identify gaps in coverage and operational areas where visibility is limited.
  • Educate the board about current risks and provide tangible industry examples.
  • Do not just respond to specific incidents — study them to learn how to prevent them from happening again.
  • Do an IP assessment — by taking inventory of a firm’s IP, you can begin to pinpoint who is likely to threaten it and shift processes with IP developments.

Just those steps alone can set an organization on the path toward establishing an effective, proactive insider risk program. Is your organization fully prepared or is there doubt on how to fortify your business is against these types or risks?

Summary

Organizations need a comprehensive framework that enables them to protect their most valuable and vulnerable data assets from insider risk.

About this article

By Lou Bladel

Managing Director, Assurance, Forensic & Integrity Services, Ernst & Young LLP

Former FBI special agent with over 26 years of investigative and leadership experience.