Insider risk management starts with insider goodwill

Insider risk management starts with insider goodwill
Image: Stocksy
We may earn a commission from links on this page.

An employee checks their bank account while logged onto the corporate network. An administrator copies proprietary information not part of their typical assignment. A contractor logs on to an unsecured network to catch up on emails.

These are examples of insider risk, or the potential for workers to use their authorized access to sensitive assets in ways that jeopardize an organization’s people, data, processes, technologies, or facilities, whether intentionally or unintentionally.

Microsoft Threats
Source: CyLab, Carnegie Mellon University Security and Privacy Institute

Insider risk management is a tricky beast. While technologies are part of the solution, it takes insider goodwill—established through thoughtful implementation of Insider Risk Management programs—to ensure sustained security and success. Here’s how you can adopt a people-first security posture that builds employee engagement and protects your workplace.

Consider the behavior and context

Risk reduction requires focusing not just on employee behavior but on employee context. For example, someone who feels overworked may cut corners in response to pressures at work and at home. Implemented poorly, Insider Risk Management programs can create their own risks by infringing on employee privacy and civil liberties, sapping productivity, and undermining trust. It’s strategic to intervene when stress might pose a risk, not just to limit damage to the organization but to show support for your employees as multifaceted people.

A new CyLab study  from Carnegie Mellon University’s Security and Privacy Institute  shows that there is powerful synergy when organizations aim for a holistic, empathetic security approach and better workplace culture. It turns out that nurturing insider goodwill is key to reducing insider threats, both unintentional and malicious.

Balancing internal and external perspectives in Insider Risk Management implementation

Microsoft risk management
A balanced Insider Risk Management approach is more likely to lead to intended positive outcomes. An approach that places uneven weight on various factors or perspectives may yield unintended or negative outcomes.

Collaborate with human resources

Human resources departments are often siloed from the rest of the company, resulting in missed opportunities for a successful Insider Risk Management program. Typically, HR owns much of the data that can help make sense of the millions of signals an organization must reason over to identify insider risks. Machine learning systems alone aren’t enough. Teaming up with HR allows infosec teams to gain context for all the alerts being generated by automated security technology, and it assures employee privacy is protected.

Your HR team has a unique perspective that lets them identify organizational stressors—busy seasons, corporate changes—and get ahead of them before they open up windows for insider risk. They are also privy to onboarding, offboarding, time off, and remote work processes, all of which come with their own chance of a security breach. With HR officers’ ability to influence policy and perks that can help head off risk, tapping into their power creates wins not just for cybersecurity, but for your entire enterprise. 

Protect without punishment

Traditional security paradigms attempt to force rather than attract individuals to the “right” behavior. They focus on targeted attacks and negative deterrence actions—constraints, monitoring, punishment—and neglect to envision unintentional threats, like downloading a malware-infected game or pirating software on a work-issued device. This outdated approach demonizes your crew and may stoke paranoia or hostility.

Instead, companies can strive to make their people feel more valued. They can use tools that flag risks, prevent incidents, and improve employee experience overall by allowing them to work when, where, and how they need to. Insider Risk Management in Microsoft 365 includes opt-in privacy controls, provides speedy solutions for breaches, and leverages machine learning to detect potentially risky activities across apps and endpoints, helping decision makers take appropriate action more quickly.

Boost culture to lower risk

Before you can count on grumble-free employee participation in Insider Risk Management, your workforce needs to feel that management is on their side. This means fostering a culture of empathy, especially in the era of hybrid and remote work. There is still a long way to go: In the most recent Work Trend Index, one in five global survey respondents said their employer doesn’t care about their work-life balance. In fact, 54% felt overworked, and 39% felt exhausted.

Companies that stay attuned to work-life balance and employee well-being are far better positioned to discern when various stressors might pose a risk. A recent Software Engineering Institute study found a correlation between perceived organizational support and a decrease in the number of insider incidents. When done right, Insider Risk Management can be a program that genuinely improves employees’ work life. This is a competitive advantage that will help your office to thrive.

To explore how you can help your company prevent, detect, and contain risk, learn about insider risk management in Microsoft 365