Best practices for releasing your risk management program

The way we do business is continually shifting. In the last three years, workforces have gone fully or partially remote, data has migrated into the cloud, and third-party vendors have become a critical part of everyday business. These, and other changes such as the Great Resignation, have led to an increase in “insider risks.” 

The term “insiders” applies to current or former employees, contractors, vendors or business partners who have, or had, authorized access to an organization’s network or IT systems. According to a recent study, the number of insider-related incidents has increased by 47% in the last two years. 

Risk from trusted insiders takes many forms. Intellectual property, customer financial information and other proprietary data can be downloaded by employees hoping to profit from the sale of other people’s private information. Or an employee may be simply moving on to a new opportunity and decide to take company data with them, unaware that this violates data privacy policy. 

Regardless of the intent behind the actions, resulting incidents can be costly to remediate and carry hefty non-compliance fines. In fact, a 2022 global report revealed that in the past two years, the cost to remediate incidents caused by insiders rose 44% to $15.4M USD. 

As insider risks become more prevalent and costly to solve, companies are putting programs in place to mitigate risk. Combining technology, process, controls, and a culture of education, these programs are a company’s strongest line of defense in protecting against financial, reputational and legal consequences. 

When rolling out their insider risk management program, consider the following five areas:

1. The prevalence and risk-level posed by each type of insider threat
2. The scope and vision of the program 
3. Establishing a clear charter
4. The inclusion of technology
5. Development of a communication plan to ensure employee buy-in  

Risk posed by each of the three types of insider risks

Insider threats take three main forms. 

1. Malicious. These insiders tend to act independently. They have means and knowledge to access data and demonstrate clear intent to cause a breach. Research by the Ponemon Institute malicious insiders account for 26% of incidents. These incidents can be hard to detect, and on average cost $648,062 to remediate.

2. Inadvertent.  The inadvertent insider unwittingly, through human error or lack of understanding of policies, creates a security threat. This is the most common insider incident. The same Ponemon report shows that 56% of insider attacks are due to negligence, and cost an average of $484,931 per incident to remediate.

3. Third Party.  Contractors or third party service providers, such as communication applications and supply chain services, where a significant amount of private data can inadvertently be sitting, can also be the source of security incidents. 

Companies will often do an assessment to understand the level of risk posed to their company in each area. Do they have policies in place but no way of knowing if they’re being followed? Are employees educated on policies? Depending on the answers to those questions, companies may be at greater risk of incidents due to employee negligence. Similarly, if they use third parties in a manner that’s unregulated, they may need to address that aspect of the business sooner than later.

Scope, vision and key indicators for success

Once the company’s appetite for risk and risk posed by insiders is established, the scope of the program, vision for execution, and key indicators for success can be defined. 

Among other critical areas, defining an incident response protocol is essential. Evidence of this is required by most privacy laws, including GDPR. And while this plan must be in place, in order to minimize the need to employ it, companies are leveraging technology focused on risk prevention.

A clear charter 

Successful rollout requires detailing ownership of every facet of the program. This includes everything from the evaluation of adoption and success metrics, to employee training and awareness, ongoing policy enforcement, frequency of risk assessment audits, and more. 

A champion to lead the effort must be identified, as well as a group of engaged stakeholders to provide support. To free up the financial and staffing resources needed to make the program successful, the executive team must be brought into a well articulated outcome-based vision of what this work will enable and the benefits to the company. 

Within the executive team, two business units that will be critical to bring into the process early and often are legal and HR. As the teams that deal with people and compliance, their counsel and consultation will greatly impact program success.

Including technology 

Companies are focused on using technology to prevent insider incidents and the time, money and resources required to remediate them. Here are five key areas to include in your evaluation criteria when assessing insider risk technology: 

24/7 monitoring and proactive notifications of policy violating behavior 

While it’s prudent to have an incident remediation plan in place, the focus should be on incident prevention. Receiving notifications of risky behavior enables teams to take action before an incident occurs.

Quantification of risk 

Information security teams need proactive indicators and benchmarks to measure and watch risk as it evolves. 

Data element tracking 

Looking at file activity, as 99% of the tools on the market do, is insufficient. One file could have 1000s of data elements. True assessment of risk requires visibility into the data in the file.

A historical record of data movement between employees

When an incident occurs, time is of the essence. Data element tracking enables a historical record of movement of data between employees, eliminating the need for manual investigations.

An intelligence dashboard that surfaces actionable intel

Having a centralized view of quantified risk across the business is critical.

How Desjardins uses technology to prevent insider threats

Desjardins, home to the largest federation of credit unions in North America, turned to Qohash’s Qostodian Prime to prevent insider incidents. Prime registers and scores every new data element as it enters Desjardins’ business systems. It then monitors employee interactions with any sensitive data element, providing alerts the instant risky or policy violating behavior occurs.  

The Desjardins team can see how a specific data element traveled from employee to employee over time – without having to do anything manually. They quickly see how it got out of a secure environment, where it ended up, and every step in between. They also view risk levels by department and employee and can see how those risk levels change over time. While monitoring 53,000 employees and more than 100 arrivals and departures daily, they can add employees deemed “risky” to their dashboard for closer monitoring.

The importance of communication

Rolling out a program of this nature requires careful internal communication. Providing transparency about the scope and purpose of the program can help insiders feel informed and empowered, as opposed to being distrusted or surveilled. 

The following elements should be considered as part of the communication plan: 

• Communicating the scope of the insider threat program (monitoring employee interactions with sensitive data, rather than general surveillance) 
• Continuously communicating with employees about organizational policies involving sensitive data, and how they will be enforced, so that there are no surprises
• Conducting routine, mandatory insider threat cybersecurity awareness training
• Creating a platform for employees and managers to provide feedback, share concerns and address grievances. ‚