Information security’s empathy imperative

Information security’s empathy imperative
We may earn a commission from links on this page.

America is in the middle of a massive shift from an elongated “me” period of history to an overdue “we” period. Empathy is having a moment, and it’s taking center stage in insider risk management.

A recent study out of CyLab, Carnegie Mellon University’s Security and Privacy Institute, found that negative deterrence actions like employee constraints, monitoring, and punishment don’t reduce insider risk. What does work: making employee engagement, connection, and well-being the priority.

Digital empathy is now a frontline defense in information security, critically important for insider risk reduction and organizational resilience. It’s essential for employee trust, morale, and loyalty, and is at the core of some of the most ubiquitous technology in use worldwide.

Here’s what to know about the empathy imperative, including insights from information security leaders who are putting it to work, and guidelines for making empathy a pillar of an effective cybersecurity posture.

Make empathy a team effort

Insiders are employees, contractors, or anyone with access to sensitive corporate information. While there are numerous cases of ill-intentioned actions, the CyLab study says more than half of risks from insiders are unintentional, like a user turning off security controls so they can download software from the internet for peer-to-peer sharing, or a healthcare worker looking up an off-limits patient record for their family member.

“We assume positive intent, knowing that mistakes happen,” says Greg Petersen, a senior director of security technology at professional services firm Avanade. “When they do, our people nudge the employee to use better methods. If intent is not innocent, that person learns that we have visibility into a negative behavior. Hopefully, this bump against the guardrails helps them to make better decisions going forward.”

Image for article titled Information security’s empathy imperative

A business won’t be successful unless its workers think of themselves as a crucial part of the security solution. Remote and hybrid workforces have created millions of new endpoints for infosec teams to protect, driving explosive growth in potential insider risks. Personal devices are connected to corporate VPNs, and home desktop computers may be shared by the whole family. Successful insider risk management is built around making end users allies in the fight to protect sensitive information.

On the technology side, solutions need to meet users where they are, whether it’s at a home office doubling as a pantry or a hot desk used by multiple international consultants. Technology shouldn’t gum up productivity; it must be able to sift through billions of signals, find those that could represent true risks, and send up the highest priority alerts to accelerate time to action. Most importantly, it should increase an IT team’s efficiency by directing resources where the greatest risks lie.

Build trust, receive trust

About 90% of Avanade employees work far from the office perimeter. The company must protect its own highly proprietary data and conform with myriad data regulations around the globe, making compliance and security complex. They found that Microsoft 365 Insider Risk Management was the best solution to simplify and elevate the company’s insider risk management strategy, fast.

Insider risk management at Avanade relies on the integrity and security/compliance awareness of their workforce. It includes ongoing education about data security, information sharing about company insider risk policies, and technology to maintain secure behaviors. Avanade’s HR, legal, and IT security teams collaborate closely to balance employee privacy with company safety. Everything is based on a circle of trust.

“Our employees trust us to create the solutions that help them to be effective in the market, and we further build trust by educating them about our insider risk policies and solutions,” notes Avanade CIO Bob Bruns. “Client trust builds from that. Only companies that trust us will do business with us, and mitigating insider risk is key to their faith in us. When they know that we’re protecting our employees, and by extension the assets they are partnering with us to develop, deploy, or execute, our relationship grows from a solid foundation.”

Lighten infosec tech’s load

For your IT and security analysts, digital empathy means making the job of risk management easier. Microsoft Insider Risk Management leverages signals natively from Windows 10. There are no agents that represent another attack surface and no deployment to company machines. Insider Risk Management also automatically surfaces signals from Microsoft 365 workloads without any scripts to configure or continuously manage and maintain.

“SharePoint, Exchange, Teams, and OneDrive are already integrated,” Petersen explains. “All we have to do is choose and set up an appropriate policy template and manage it.”

Some of the other features of Microsoft’s solution popular with Avanade’s IT team and others include:

  • Pseudonymization that protects employee privacy while providing the necessary visibility into activity to protect the company.
  • Automated curation of Microsoft 365 audit logs and signals, replacing the time sink of manual data collection, ingestion, and decoding.
  • Holistic integration, with native interoperability across Microsoft Azure Active Directory, Microsoft Cloud Access Security, Microsoft 365 Defender for Endpoint, Microsoft Advanced eDiscovery, and Microsoft Information Protection.

Equipped with the right end-to-end solution, your infosec team can strengthen employee trust when unintentional mistakes happen. Instead of revoking an employee’s access rights or creating unfounded suspicion, the security team has the context they need to offer the proper recommendation—like training.

Put your people first

Done wrong, infosec controls can result in a toxic, Minority Report PreCrime Division-esque atmosphere. The last thing you want is for employees to feel like you don’t trust them: I’m already being asked to figure out how to remote work, now they’re bugging me with all these security alerts. Don’t they know we’re on the same team?

Done right, infosec technology can uplift. Security solutions can sniff out credible risks and allow people to work when, where, and how they need to be productive. Organizations can see across apps, endpoints, networks, and users, so that their workforce has secure access to more corporate resources. Work collaboration can be seamless while detection of risk goes on in the background.

“Our mantra is to keep honest people honest,” says Petersen. 

Keeping people at the center of the security model is an organizational imperative, especially in times of stress—pandemics, wildfires, hurricanes, and economic or societal disruption—because that’s when user mistakes are more likely. The infosec solutions built on empathy are best at keeping these errors from cascading into major breaches.

Learn more about implementing an empathy-based infosec strategy and check out Microsoft’s podcast Uncovering Hidden Risks.