Insider Threats: Who is Watching Your Employees? ACC 2016
Edward Snowden may be the most well-known example of an insider threat. But for corporations, government agencies and non-profit organizations, the risk of insider threats may not even be those that are intentional. In many cases, employees take intellectual property when they leave the organization because they had a hand in its creation and think they own it, but in actuality, the property is owned by the business.
A panel at the Association of Corporate Counsel’s annual meeting broke down the best practices of an insider threat/risk program. Having such a program is key to protecting the organization, managing data and making sure the organization’s information, customer data and intellectual property is not stolen or misused, whether intentionally or unintentionally.
Christine Binotti, Senior Compliance Counsel, Motorola Solutions, Inc.; and Sam Facey and Kristen Hardy, Assistant General Counsel and Compliance Counsel, respectively, with Rockwell Automation.
The panelists gave these guidelines:
If an organization does not have an insider threat/risk program, it often may seem too challenging or cumbersome to create and roll out a system that can start making progress in this area for the organization.
To start, an organization does not need to roll out a large, comprehensive program. The main thing is simply to start, and the program may be small and only focus on one aspect within the organization initially. So at the beginning, build a business case, create buy-in from management, get executive sponsorship and start a pilot program. Then as the program moves forward and the organization develops an understanding, the program can grow and evolve
Another key aspect of a creating a solid program is having a cross-functional team to be a part of the program. Members may include IT, human resources, finance, legal and key business leaders. And as the program is being built, work with legal to make sure any monitoring is compliant with applicable and local laws. Additionally, legal can help create a policy of use, a documented process of steps for when an individual violates the policy, help with understanding various global employment and labor laws, and more depending on the business and its geographic footprint.
Identifying the high risk areas can allow the organization to focus its attention and resources to areas that are vital to the business or pose the biggest risks. These areas could include certain positions, assets and who has access, and areas of vulnerability. Areas of vulnerability may be the infrastructure of the organization, but could also be employees and the need to educate them about risks such as phishing.
A successful program must include developing the technology road map. An organization may not have the funds or manpower to implement a tgiven echnology to augment the program. A place to start is working with the IT group and see what technology the organization already owns, has access to or could develop and get up and running at minimal cost.
Determine the scope of the program whether you may have one central insider threat/risk team or multiple subsets in various regions. The subsets could include one or two individuals from specific regions that would work in tandem with the core team to keep the program from becoming cumbersome.
Additional areas to consider as the program is built and evolves are educating the entire organization. The team should track terminations and resignations. Timely and appropriate education and monitoring can help eliminate potential problems.
Again, the key, according to the panelists, is to start a program if you don’t already have one. If you currently have a program, continuous improvement and evaluation are vital to make sure the program continues to meet the organization’s needs.
