Don’t Be A Passive Bystander — Take An Active Approach To Insider Risk
2023 is the fifth anniversary of National Insider Threat Awareness Month. This year’s theme is “bystander engagement” to indicate how essential it is for everyone to report insider incidents and take an active role in curtailing insider risk.
Bystanders can be passive or active. Passive bystanders may witness an incident but not get actively involved. Active bystanders get involved. They help out. Addressing insider risk requires an active approach to prevent, detect, and respond to insider incidents.
One of Forrester’s best practices for managing insider risk is to turn your employees into advocates for the program. This goes beyond traditional security awareness training. It involves changing your security culture so that users are good data stewards.
Users also become the eyes and ears of the insider risk program, reporting unsafe behavior. For example, fellow Apple employees spotted Jizhong Chen, who later pled guilty to trade secret theft, taking pictures of a secret workspace where Apple conducted autonomous car research. The FBI eventually found that Chen had “over two thousand files containing confidential and proprietary Apple material.” In another example of employees doing the right thing to catch an insider, employees of manufacturer Cree found an SD card lying on the sidewalk. Knowing that a storage device shouldn’t have been on campus, they turned it in to security. The security team found 32,000 files on the SD card, which contained trade secrets worth $100 million, and traced it back to the user.
To turn your insiders into advocates:
- Train them about the impact of insider incidents. Lost IP, lost customer data, or sabotage can destroy a business. Let your employees know the stakes. Engage in regular training about insider risk and acceptable use policies. Track the training so that there are no excuses for breaches of policy.
- Nudge them to do the right thing. According to Forrester data, 33% of insider incidents are the result of carelessness or accidental data disclosure. Many insider risk platforms and data security solutions offer in-the-moment training to help users make the right decisions about data to nudge them in the right direction.
- Communicate the program openly. Don’t make the insider risk management (IRM) program a secret. Let the employees know you’re watching and how the program works (in general terms). Many IRM programs now have employee communication and training as part of their mandate.
- Establish an anonymous employee tip line. In the spirit of “If you see something, say something,” encourage your users to make anonymous tips about suspicious behavior they’ve observed. MITRE conducted a behavioral experiment to understand why users don’t report insider threat incidents, finding that only 39% of those in the study reported insider threat incidents. This means that you’ll need to encourage your insiders to report and take an active role in data security.
- Let employees know they’re part of the security team. Users are the last line of defense for security. The decisions they make directly impact the success or failure of a phishing scheme or social engineering attempt. They are also your eyes and ears about what’s happening with fellow employees.
Forrester’s Insider Risk Research
Forrester covers insider threat/insider risk in our research. Here are a few recent insider risk reports (client access only) to help security and risk pros establish their own IRM program:
Best Practices: Insider Risk Management — This report covers the types of insider risks and provides practical steps to address them.
Internal Incidents Cause Roughly A Quarter Of Breaches, With More Than Half Intentional — This data overview shows the prevalence of data breaches caused by insider incidents.
Manage Insider Risk With Zero Trust — Getting proactive about insider risk also means prioritizing prevention. Forrester’s Zero Trust model of information security was designed to stop insider data theft.
The Insider Risk Management Team Charter — Reducing insider risk requires dedicated focus. This team charter outlines the steps necessary to start an IRM team and provides an accompanying planning template.
Learn More About Insider Risk
My colleague Brian Wrozek and I are also presenting on insider risk and threat intelligence in our session, “Expose Risky Insiders With Threat Intelligence,” at Forrester’s upcoming Security & Risk event in November. I’ll also lead a “Learn-A-Skill” session on building an IRM function at the event.
Forrester clients can schedule an inquiry or guidance session with me to do a deeper dive on insider risk and learn how to start their own IRM program.