What have you been doing John?

I am constantly seeing and hearing more talk about the risk posed by insiders when it comes to business risk. The talk of insider risk and the threat to the business, threats to compliance and security has been amplified in recent weeks, yet very few businesses have any form of Insider Risk Management program in place. 

Why is this?

Do we not know where to start, or are we scared of what we might find?

Large and small business all show different levels of support or acceptance of the importance of insider threats. Sadly, the importance they place on these are totally worthless if only in words.

In the last couple of weeks we have seen reports of top secret government information being leaked/lost/copied on different sides of the Atlantic.

The departments that these insiders worked for all have spoken extensively about the importance of protecting data and know that there is such a thing as Insider Risk, yet their actions or inaction tell a different story. The same thing happens in the corporate world and I think this is often because they do not see an insider risk, they see John. Let me elaborate on my thought process here.

I believe that part of the problem is that when we talk about "threats" the Board (execs) visualise someone dangerous or malicious, a criminal even. The dangerous person stuck in the corner, wearing the hoodie, just like we see in the movies.

The same execs, worried about these threats, then look out of their office window or walk the open plan office, here they see John. They have a chat at the coffee machine or printer, find out about the kids, weekend activities and the quarter’s numbers. They do not see a criminal or something which can cause malicious damage, it is just John.

They trust John, they value his input to the business unit and the discussion they had with the other execs about insider "threats" does not include John. Besides, he isn't even wearing a hoodie.

I personally think that inaction comes about because the discussion often starts the wrong way around when speaking to execs about their insider threats.

If you tell the execs that insiders are a threat, they see John at the coffee machine, smiling and talking about his kids and his inability to master sit-ups. If we were to start the discussion identifying how insiders can be a risk (before they are a threat), then unpack how an insider evolves to a threat, including how our trusted people can be coerced, tricked or scammed, the discussion on how to measure the threat and put in controls should become slightly easier.

When you talk about financial risk and fraud execs immediately identify with this. They know that this is a risk to be addressed with controls and visibility, importantly John doesn't enter their view. They only see the need to protect the business from an identified, well-known financial business risk.

Insider Threats are still a "new" concept for many board members and this is why discussion needs to be changed so that the first thing the execs see is the associated business risk, not John.

Once we start the conversation on the correct footing, we then make it easier to get the required buy-in for enhanced insider risk management that brings about visibility and gives you insights from behaviour. When we have this visibility we can identify something powerful, this is intent.

Visibility of activity identifies behavioural changes and that gives us the ability to decipher intent. Without it, we simply wait to see our sensitive data on forums or other online platforms.

The question is whether you know what John has been doing?

#letsgetreal #J1TopTip