Busted: Misconceptions of Insider Risk Programs

Insider risk management is gaining momentum, as organizations increasingly accept that cybersecurity is a human challenge that requires a human solution.

The data shows that humans are a common factor in cybersecurity incidents. According to Gartner, by 2027, 50% of CISOs will formally adopt human-centric design practices into their cybersecurity programs. The firm also predicts that by 2025, 50% of organizations will adopt an insider risk program.

What sets insider risk management apart from traditional cybersecurity programs is the idea that cyber-attacks are more likely to be avoidable when an organization puts their people at the heart of their cyber strategy.

In other words, employees are less likely to pose a security risk when they are empowered and motivated to follow security policies and procedures in the first place.

Want to stop employees bypassing security controls? Make security a frictionless business enabler. Want to stop employees taking sensitive IP when they leave? Create an environment that makes them not want to leave in the first place, and continuously test and validate controls. Want to stop employees falling victim to social engineering and credential sharing? Arm them with the tools and education they need to know when they’re being conned.

This might sound overt, but it highlights the important truth that employees provide the most power in mitigating an organization’s security risk – but only when the environment is right.

Technology alone cannot stop a cyber incident, but people can. The challenge (and opportunity) is giving them the tools, skills, and motivation to do so. This starts with changing misconceptions of insider risk programs and the negative connotations that besiege them.

Here are some common misconceptions on insider risk programs:

#1. An insider risk program requires extensive new data collection on employees

More data is not necessarily better. More often than not, more data translates to high rates of false positives that overwhelm analysts and take their focus away from genuine risks. Legacy point tools are notorious for this, capturing superfluous data, clogging systems, impacting performance, and subsequently the employee experience and productivity. The biggest concern is when tools overstep the mark by infringing on privacy though capabilities like screen capture. Taking a ‘Big Brother’ approach only erodes trust, disenchants employees, and slows down systems. A well-considered insider risk program protects employee privacy and only captures actionable data from sources spanning psycho-social, cyber, physical sensors, and organizational sensors.

#2. An insider risk program will profile employees and put the organization at legal risk

Evidence-based profiles of malicious insiders do not exist. There is no evidence for them. In addition, indicators focused on the types of factors relating to equal-employment opportunity are ineffective (e.g. age, gender, race). Good people do bad things all the time, but it doesn’t make them inherently bad. A sound insider risk program does not profile employees because of this. Instead, those programs focus on specific behaviors and patterns of behaviors that are shown to be associated with increased risk.

#3. An insider risk program is focused on penalizing employees

The bedrock of a successful insider risk program is a security-conscious work environment built on trust, respect, transparency, and bi-directional loyalty. It’s unreasonable to think that penalizing a well-to-do employee for accidentally clicking a dodgy link or falling for a new creative attack vector could possibly be conducive to positive behavior change. Penalizing employees only makes them feel vulnerable and exposed, which is more likely to have a disarming effect that creates rather than reduces risk.

#4. Other parts of the organization (compliance, HR, physical security) already deal with insider risks

While these departments are critical for tackling insider risk, a siloed approach doesn’t work. Insider risk programs are governed by a dedicated team comprising one or more representatives from each group. The insider risk program acts as a central repository (often called a ‘hub’) to correlate datasets and insights from across those different parts of the organization. This collaboration is essential and has often been the missing part of the insider risk management puzzle. One department might have an important datapoint that is not concerning in itself but is very concerning when combined with other datapoints from other departments.

For that reason, insider risk programs do not replace other groups but offer a collaboration that draws on the whole-of-business insights that are needed to identify and deter risk.

Taking a human-centric approach to insider risk management

If there’s one resounding lesson to be had, it’s that insider risk programs are not successful when they are cyber-first or cyber-only.

Insider risk programs synergize psycho-social and cyber-physical data points to create human-driven context in a way that no other group in an organization can.

The sooner organizations start applying human-driven insights to support their people, the sooner they can reduce insider risk and protect their organization.

Applying behavioral science and data-driven research

MITRE partnered with DTEX in 2020 to conduct a data-driven study of the modern insider risk landscape to assist Five Eyes critical infrastructure entities challenged by evolving threats, including nation-state actors and sophisticated adversaries targeting trusted insiders.

Request a briefing to learn more about the research and how you can apply our learnings to drive a robust insider risk program.