Insider risk can happen anywhere in the company, by anyone. It can come from disgruntled ex-employees stealing trade secret artificial intelligence or someone is poached by a competitor who is mobile chip design secret on the way out the door. It could even come from the C-suite, as one company recently learned when its chief financial officer accidentally shared a document for the entire company titled “Restructuring.” Unintentional data disclosures could cause employee unrest or even trigger Securities and Exchange Commission Regulatory Fairness (Reg FD) filing requirements. United States Securities and Exchange (Reg FD) for public companies, if leaked data could affect shareholders.
For the security team, it may not be appropriate to take a mixed approach — for external threats — with the chief financial officer about unintentional data sharing. There is a better way.
An empathetic approach to employee investigation
The way we should approach external risks — such as malware — versus those from insiders is very different.
There are many factors to consider when managing insider risk, especially as they relate to desired business outcomes. Insider investigations should not be solely within the sights of the security team and often require the cooperation of the security, human resources and legal departments. According to Gartner, “Survey data… indicates that more than 50% of internal incidents are non-malicious”, which means that, more often than not, the employee at the root of the incident is simply trying to get things done. their work, make mistakes or take shortcuts. Treating them as if their actions were malicious is the wrong approach and can be counterproductive. Those involved in the investigation must take an empathetic approach without judgment. Otherwise, the risk of that employee making the same mistake again or becoming disgruntled and disempowered is greatly increased.
Approaching insider investigations with empathy requires a psychological shift. This is the first step to building trust, so that the best results can be achieved for the organization. Here are five key elements of an empathetic approach to insider investigations:
- Connect to understand: When an event occurs, the first approach can be as casual as, “Hey, we noticed you’ve moved a document to your personal cloud account. Do you intend to do that? Their response is often a surprise, because it was a mistake, or they don’t realize this is not allowed. Maybe they just need to get the job done and this is the fastest way.
- Discover unconscious biases: All humans have conscious and unconscious biases that influence our actions and decisions. The HR team can help other stakeholders uncover these biases and work to mitigate them. It is important to treat all individuals equally, whether they are colleagues, CEOs, or someone in a different group or culture than you.
- Guaranteed partnership support: If the event is a mistake, let the employee know they are not in trouble. It is likely that employees believe they are there and may wonder if they might lose their jobs. It is a natural human instinct to become defensive and reject behavior. Assure them that the event is reversible and that you are willing to help. They’re more likely to be honest about what they’re trying to do, and it’s in your interest to help—and recover any exposed or leaked data.
- Education: In the event of an incident by negligence or by accident, it is important to provide employees with information on how to act properly in the future. Instruction at the time of error has a big impact and is more likely to be remembered than an annual training session. You can strengthen the conversation with videos are one to three minutes long about a particular situation.
- Take action: It’s important to approach each investigation with empathy, but there’s always a piece of really malicious insider breach. In these cases, documentation is important. If it is determined that employees have knowingly engaged in risky actions — and if it is clear that they pose an ongoing risk to the organization and its data — it is time to bring together all stakeholders. key stakeholders from security, HR and legal to provide a recommended course of action for the team to run.
Approaching internal investigations with empathy helps build a culture of trust, open communication, and respect. It builds and maintains a positive security culture — and above all, it helps keep your organization’s most valuable data safe and secure.
This content is produced by Insights, the custom content arm of MIT Technology Review. It was not written by the editorial board of the MIT Technology Review.
