Chapter 1
How closely does your organization track insider risk?
Insider risk managers should take a full inventory of their organization’s IP assets.
The first step toward managing insider risk is to cultivate awareness of potential insider risks across the full spectrum of an organization’s activities. That awareness promotes a proactive stance toward such risks — a stance that most businesses already take toward external risks.
Several recent developments have intensified the urgency of broadening business’ approach to insider risk. One is the growth of programs organized by some governments to obtain IP by fair means or foul; the Thousand Talents Program is an example of such an effort. Another important development is the influx of employees shifting from traditional, longer-term tenure expectations at a single employer to a workforce with less organizational loyalty. They may take a more casual view of IP integrity and information security. But the most significant development is the COVID-19 pandemic and the resulting massive shift to remote work, which has introduced a wide array of new vulnerabilities for risk managers to address. For example, remote work has sharply reduced the number of face-to-face interactions in the workplace, which often is where possibly significant changes in an employee’s behavior or attitude first appear. In place of such interactions, risk professionals have stepped up their reliance on technology-assisted behavioral assessment, applying the techniques of external security programs to insider risk.
Just as with external threats, companies cannot mitigate internal risk simply by out-designing or out-developing malicious actors. Instead, a growing number of organizations are setting up dedicated insider risk teams to aggressively address insider risk before it strikes. Typically, such teams consist of stakeholders from across the organization — including representatives from legal and compliance, HR, IT, finance and other departments — collaborating under the leadership of a single lead, who owns the program and is accountable for its performance. To an increasing extent, such dedicated organizations are responsible for acquiring the technology necessary to do their job.
Or not acquiring it, as the case may be: many organizations are discovering that some of the security tools they already have in place can be adapted to addressing insider risk. In most cases, however, organizations lack the complete array of necessary tools. Many need to supplement their existing technology with components designed expressly to detect insider risk, such as UEBA; enhancements to physical security (workplace violence, after all, remains a salient form of insider risk); and capabilities, such as CCTV coverage of photocopiers and other office equipment. Veterans of insider risk engagements note that while many companies are effective in some aspects of insider risk management, few possess the full spectrum of necessary capabilities, skills and technology.
An effective insider risk program, however, is more than the sum of its technological features. It is a comprehensive framework that leverages technology to address insider risk along multiple dimensions. The framework enables an organization to prioritize risk mitigation activities to protect an organization’s most valuable and vulnerable data assets, and apply human judgment to distinguish between genuine threats to IP assets and “false positives” generated by random variations in data flows.
Chapter 2
Steps to mitigate insider risk
Success requires visible leadership support, plus funding, talent and technology infrastructure.
Merely establishing an insider risk program is no guarantee of success. A common complaint among former law enforcement agents recruited to develop such programs is that that they often begin and end with the appointment of an executive to lead the effort. To be effective, experienced insider risk professionals say these programs require visible support from senior leadership and the funding, talent and technological infrastructure needed to succeed. The digital tools, data and expertise needed to counter formidable state-backed adversaries form the core of that infrastructure.
The professionals further recommend that insider risk managers take a full inventory of their organization’s IP assets, and work to ensure that management can see every feature of the IP landscape. They should also shape their program along the contours of the company’s culture, recognizing that the high-security, surveillance-intensive environments typical of defense contractors may be ill-suited to more informal, entrepreneurial organizations. And of course, while protecting their data assets, companies also need to remain within the bounds of data-privacy laws and regulations.
Consider these steps to counter insider risk:
- Do not just appoint a director of insider risk; give the director the organization, funding, performance metrics and visible support from the top.
- Continuously assess your insider risk technology stack to identify gaps in coverage and operational areas where visibility is limited.
- Educate the board about current risks and provide tangible industry examples.
- Do not just respond to specific incidents — study them to learn how to prevent them from happening again.
- Do an IP assessment — by taking inventory of a firm’s IP, you can begin to pinpoint who is likely to threaten it and shift processes with IP developments.
Just those steps alone can set an organization on the path toward establishing an effective, proactive insider risk program. Is your organization fully prepared or is there doubt on how to fortify your business is against these types or risks?
Related articles
Summary
Organizations need a comprehensive framework that enables them to protect their most valuable and vulnerable data assets from insider risk.