Culture is the Key to Disarming Insider Threat
By Tara Carcillo
The evidence of the impacts and damage that insider threats could have to an organization is staggering. From data loss that derails services, to overwhelming financial burdens – not to mention the reputational cost — insider threat is a crucial issue for today’s executives.
According to a study by Kroll, a division of Duff & Phelps, insider threats are a significant vulnerability to an organization:
- Three in four businesses suffering a breach had their data leaked by employees and third-party vendors
- Over half of all data breaches occur by accident
- Seventy five percent of breaches resulted from using workplace hardware or data outside the office environment
- External campaign groups are more feared than vendors even though vendors originated more breaches
- A third of businesses contract without provisions for how to proceed in the event of a confidential data breach
When we meet with executives overcoming the losses from data breaches, they are often surprised that their technical controls, risk programs, and investigative frameworks are not enough to protect business assets. The growing consensus across risk and security officers is that insider threat is not primarily a technology issue, nor is it even an investment issue. Protecting organizations from insider threats is a social and cultural imperative.
The good news from the research, and what some leaders are finding, is that organizations can substantially mitigate insider threats with existing resources. The best strategy for insider threat management is the right application of leadership and communication skills, and the ability to prioritize a few important culture shifts within an organization.
As CEO of The Clearing, I work with leaders of businesses and federal agencies to develop intentional action plans to transform organizational culture. Intentional shifts in culture are an emerging strategy to manage insider threats. When you are intentional about the habits, beliefs, practices, and social norms of an organization, you can create positive, sustainable shifts in your culture to reduce the risk of insider threat.
Critical First Step: Get to Know Your Culture from an Insider Risk Perspective
The distinctive approach we take with our clients acknowledges reality: employees are often too busy to develop a concern about unwittingly succumbing to a cyber attack, or performing a technical error that makes their organization vulnerable. Yet, in real time, a workforce collectively needs to adapt to changing markets and a new way of working.
Through a process we call enacting an intentional culture, leaders are setting conditions for organizational performance that have a drastic impact on the bottom line of insider threat management.
To enact an intentional culture, an organization should perform a cultural assessment. In this process, you will need to capture the specific parts of your organizational culture that influence insider threat risk. Consider interviewing key individuals across the enterprise using in-person interviews, focus groups, surveys, and leadership interactions.
The most effective cultural assessments do not start with a problem or a hypothesis, but with a topic. Do not ask directly about risk or threat; be curious about creating a picture of reality through indirect topics that directly affect the nature and tolerance of risk in your organization. The goal of the cultural assessment is to identify the root cause. Understanding the root causes within an organization is essential to building an insider threat program that works for the mission and culture.
A feature of effective insider threat programs is intentional conversations among senior leadership and the workforce. In these challenging conversations, leaders handle conflict and make sense of the risk level. Or, as we like to say, leaders create a clearing for critical conversations.
Understanding the culture and risk tolerance within their organizations, leaders then initiate conversations to begin designing the insider threat program. By challenging norms and outdated structures, these groups are designing effective, targeted insider threat and risk programs that allow the frontline to drive value for customers without breaking the organization.
When adopting an insider threat and risk programs, organizations need to understand what happens when you say ‘yes,’ especially if the program recommends a one-size-fits-all approach.
However, when you listen to the right feedback from the workforce prior to and during implementation, you can design an insider threat program that has a positive impact across the organization and increases trust with customers.
If you would like to join in the conversation with others who are on the edge of insider threat and risk program innovation, email me at Tara.Carcillo@theclearing.com. I look forward to sharing more details about the impacts our approach has on business value. Stay tuned!