As the digital world continues to grow, so does the number, variety, and speed of cyber threats and attacks. The world is full of data, and there is always someone trying to turn it into their own virtual currency.
Today malware and ransomware are hitting everything from our personal cell phones to mission-critical infrastructure and supply chains. If it’s phishing, smilingor LOOKattackers are also becoming more sophisticated, using details about our personal and work lives to tempt us into sharing our data.
But in a world where everyone is a target, companies must also understand their exposure to the risks that come from CONTENTS their organizations. Today more than 300 million people work remotely – creating, accessing, sharing, and storing data wherever they go – and data breaches stem from insider threats and simple accidents. can cost businesses an average $7.5 million per year. Think the 2022 Cash App data breach, where a former employee accessed a customer’s financial reports after being terminated. The breach likely affected 8.2 million current and former customers.
In the end it doesn’t matter if the violation was intentional or accidental. Content risk programs should be part of every company’s security strategy. To be successful, organizations must take the lead with their employees as partners in the effort and supplement their program with advanced tools that can detect and mitigate insider risks wherever they appear.
Here are four lessons I learned as CISO at Microsoft, managing our insider risk program as it grew from a small internal initiative to a business unit reporting to the CEO.
1. Put employee trust and privacy first
This point is mainly due to one reason. In business and in life, trust is the key to any functioning relationship. The best insider risk programs strike a balance between employee privacy and company security. It is important to create privacy controls and policies that maintain, and even increase, trust.
Setting up tools to indiscriminately sift through employee activities for wrongdoing is not only ineffective and counterproductive – it’s just plain wrong. It’s an invasion of privacy that creates anxiety and destroys relationships. Organizations must be able to identify insider risks, but they must do so in the right way, act transparently and within a narrowly defined scope to show respect and give confidence to employees.
Setting up privacy controls that protect identities at work — even during investigations — lets people know you’re protecting them, too. Using role-based access for insider risk management tools also helps ensure the right person reviews compliance alerts, preventing unnecessary suspicion from creeping into the organization.
2. Collaborate on tasks
While IT and security teams take the lead, content risk is a business problem that involves the entire company. At Microsoft, we’ve learned this over time. What started as an initiative in our security organization has become a collaborative effort across business teams, including legal, HR, and senior leadership.
This broad involvement helps ensure broader buy-in and provides additional insights and resources, such as the legal department staying ahead of emerging regulations and HR facilitating those training program and surveys. An insider risk committee or ombudsperson can help keep the conversation going. One of their first tasks should be to create a response plan that outlines how information will be shared, when and what each group contributes, who makes the decisions, and who is accountable.
It is also important to have shared goals with clear measures of success. You can fine tune the process by quantifying key metrics such as the number of cases raised, true positive and false positive flags, and actions taken as a result of those known. If you have too many false positives, you risk overwhelming your HR and legal teams with unnecessary and expensive investigations.
3. Recognize that employees are the first and last line of defense
Getting employees on data protection and compliance training can be challenging, but it’s important they know how to mitigate security risks and why it’s a priority. Training that emphasizes data management shows that the organization gives its trust to employees as they serve the business.
Train people on how to handle organizational data properly, and repeat that message regularly so it’s always fresh. It also helps to make it personal. Most people immediately understand and share how to protect their own financial and health care data. Infusing a personal aspect of the training connects the dots on the importance of data protection for the business as well.
Training people on the “see something, say something” principle in a non-threatening manner is a critical competency for an insider program. By improving data security education and training, companies can empower employees as the first and last line of defense supported by analytics tools.
4. Use machine learning tools to do more with less
Defined by Gartner Insider risk management as “the tools and capabilities to measure, identify, and contain bad behavior in trusted accounts within the organization.” And insider risk management tools have gotten more accurate and effective in recent years.
Older devices tend not to see the subtle signs that a bad actor is trying to hide their tracks. They also often have overly rigid controls that lower productivity and encourage workarounds. Now a new breed of insider risk management tools is emerging with adaptive security capabilities that can detect risky activities and mitigate any potential impact while staying out of the way and keeping private the user information.
If an activity such as printing a confidential file may not reflect the intent, a series of connected activities such as renaming the file and then deleting it after printing may indicate something more serious. Using machine learning, these tools can separate the signal from the noise and detect subtle actions, reducing false positives that can destroy the organization.
A successful insider risk program focuses on people, processes, and technology
Managing internal and external risks is essential to the security of any organization. Each has its own challenges, but what makes managing insider risk particularly difficult is the need to balance people, processes, and technology.
Powerful tools can help prevent, identify, and respond to content risks — but they can’t address the root causes. That’s where detailed onboarding, security trainings, team building exercises, and work-life balance programs come in handy. Establishing a healthy workplace environment can help reduce the risk of an employee intentionally engaging in dangerous behavior. But at the end of the day, achieving a balance between people and technology is important to everyone. Risk management must be proactive and continuous, and it takes trust, transparency, and collaboration to keep the engine running. This philosophy – people first, backed by powerful technology – is the only way to prevent incidents before they happen, detect them when they happen, and respond to them quickly and effectively.
