If 2019 taught us only two things, it’s that as we continue to make technological advancements, we can expect data breaches to accelerate alongside them regardless of industry. And as for who is culpable in exposing and stealing confidential information, many involve an organization’s own personnel, Verizon’s 2019 Data Breach Investigations Report finding that 34% of breaches involved internal actors.
Knowing this, many Chief Information Security Officers (CISOs) have already established safeguards against situations where an employee could put the organization in harm’s way. Some have created “ironclad” cyber security and malware detection systems. Some have trained employees on how to identify and resist falling for phishing scams. Still others have taken Gartner’s advice: 1) looking back at how they’ve previously handled insider threat incidents to inform future response; 2) modeling what insider threat might look like via employee scenarios; and 3) investing in employee monitoring.
But even after doing each of these things, some organizations still experience insider threats. Why? The answer has to do with whether they’re continually evaluating high-risk employee behavior, and whether that ongoing evaluation includes a seemingly simple, but nevertheless high-impact capability: anonymous self- and peer-reporting.
Continuous evaluation, for those that aren’t already familiar, takes the old, static background check to the next level. It’s understood that one-and-done, pre-hire background checks aren’t sufficient, and that businesses need more frequent, periodic evaluation of risk. However, few people realize just how fast insider threats can materialize, meaning even month-to-month checks leave ample room for vulnerability.
All it takes is a perfect storm of misfortune. Maybe an employee or an employee’s loved one has fallen ill, or money is tight due to large, unforeseen expenses from a car accident. These and similar situations often push people to consider stealing data, money, or intellectual property, Verizon’s report finding that 71% of breaches were financially motivated.
Continuous evaluation allows CISOs to see in real-time concerning behaviors and other red flags, including the series of events and associated warning signs leading up to such adverse actions. Rather than simply investigating insider threat after the fact, continuous evaluation is capable of truly preventing workplace crime and misconduct.
True prevention is possible due to multiple factors. First, continuous evaluation can pick up influential misfortunes as they arise – in the case of personal stress, it may be multiple interactions with law enforcement outside of work. In being aware of the negative things happening in an employee’s personal life, CISOs have the ability to quickly intervene, before the impact of those events are felt in the workplace.
Intervention looks something like the following: A CISO alerting Human Resources, and Human Resources reaching out to the struggling employee to see how the company might be able to help. Maybe they were slapped with a big medical bill because they didn’t understand the intricacies of the company health plan, which HR could certainly assist with. Maybe HR could talk to their manager about offering flexible hours until things get back under control. Maybe they have a company wellness or employee assistance program HR could refer the employee to, or a financial advisor or credit counselor that can help them get their budget back on track.
True prevention is also possible because some continuous evaluation platforms use anonymous self and peer centralized reporting portals to take into account the observable, qualitative signs of stress that often accompany employees’ negative thoughts and experiences.
Anonymous peer reporting does as its name suggests, allowing employees to confidentially make note of concerning things they see and overhear amongst their team. Perhaps they hear a coworker on a private phone call discussing sensitive company information, or they see a manager taking photos of confidential documents. Both of these events are cause for concern, yet employees may feel uncomfortable marching into an HR office to discuss them face to face. And as we all know, employees don’t use 800 number hotlines, because they don’t trust them to be confidential.
Self-reporting is equally important, especially when you consider that law enforcement isn’t required to alert employers of offenses that may be minor in the eyes of the law. If someone were arrested for DUI, for example, an officer might not run that information by the person’s employer. But if that person is someone whose job responsibilities involve operating machinery or equipment, their employer might want to know about such a violation.
There are benefits to an employee being the first to tell their employer about situations involving misconduct or crime. It allows the employee to control the narrative, alerting their employer to what happened and explaining it in their own words. It gives the employee the ability to be up-front with the situation, and in choosing to do so, establishes a sense of honesty and transparency with their employer. Such a system also builds a foundation of trust, as all incidents and responses are tracked and can therefore be used to ensure fair treatment from one employee to the next.
This combination of continuous evaluation and anonymous incident reporting is the future of insider threat prevention, as it directly addresses the reason why insider threat persists in the presence of existing solutions: the majority of employees don’t think their confidentiality would be protected if they notify leadership to concerning workplace behavior.
Employees’ confidentiality concern runs deeper than being dubbed a “complainer.” If the potential insider threat is based on toxic leadership, their job could be on the line. Or if it’s an issue of workplace harassment or assault, they may fear retaliation should they be seen visiting HR.
In these and other instances, the stakes are incredibly high if an employee chooses to stay quiet. And the only way to overcome this common insider threat barrier is for CISOs to make sure their business not only utilizes continuous evaluation, but also gives employees an effective capability to discreetly share with leadership what they see and experience today, tomorrow, and in the many months and years to come.