In today’s hyper-connected world, risk management has evolved beyond mere protection against external threats. Now, organisations must also navigate the terrain of internal threats – a task that requires setting up an Insider Risk Programme (IRP). This blog post will guide you through the crucial process of effectively communicating the necessity, benefits, and implementation of an IRP within your organisation.
In the following sections, we will delve into how you can pitch the IRP to your superiors, underlining the programme’s importance through pertinent statistics and case studies. We’ll also explore how to present your implementation plan and highlight the role of employee engagement in fostering a culture of security and trust. Finally, we will discuss strategies for introducing the IRP to your team in a way that fosters understanding and acceptance.
Pitching Your Insider Risk Programme to Superiors
While it is crucial to communicate the importance of an Insider Risk Programme (IRP) to all employees, the initial step and first hurdle you will likely encounter is convincing your superiors of its necessity. This can be challenging, especially as there is a common stigma associated with insider risks – the belief that “This doesn’t happen in our organisation”. However, it’s important to understand and communicate that no organisation is immune to insider risks.
The 2023 Insider Threat Report by Cybersecurity Insiders reveals that 74% of organisations are vulnerable to insider risks. Employees, third-party contractors, and anyone having privileged access can pose a potential insider threat. They can misuse corporate data, violate cybersecurity rules, or even fall victim to social engineering attacks. Furthermore, misuse of privileged access is one of the top reasons for data breaches, with 78% of all privilege misuse cases being financially motivated.
These statistics underline the fact that insider risks are a reality for every organisation. They also highlight the importance of implementing an IRP to proactively identify, manage, and mitigate these risks. By presenting such facts and figures to your superiors, you can help break the stigma and highlight the importance of proactive insider risk management. Remember, to approach this conversation strategically, focus on the benefits of an IRP – such as improved security, fostering a culture of awareness and trust within the organisation and reassure that all that can be done in compliance with GDPR and other regulations. Ultimately, positioning an IRP as a protective measure rather than a surveillance tool will help to promote buy-in from all levels of your organisation.
To further highlight the importance and need for an IRP, you can also present some recent insider risk cases that occurred in your industry. Below, we have highlighted a few examples:
CapitalOne Third-Party Data Theft Case:
An AWS engineer was found guilty of wire fraud and computer hacking, following a major 2019 data breach impacting banking titan, CapitalOne, and over 30 other companies. Using insider knowledge, the engineer exploited misconfigured cloud storage servers to access sensitive personal and financial data of 100 million customers. This led to one of the largest and most sensitive data breaches in the decade, costing CaptialOne $190 million in settlements. The incident resulted in a major security overhaul at CapitalOne, substantial fines, and class action damages.
In 2020, H&M was fined over €35 million by the German Data Protection Authority, making it one of the largest GDPR penalties at the time. The clothing retailer was found to have excessively monitored employees, amassing considerable personal data, which was accessible to numerous managers. This data was used to evaluate employees’ performance and make decisions about their employment, violating GDPR’s data minimisation principle. The fine could have been averted by limiting personal data processing, applying strict access controls, and refraining from using this data in employment decisions.
Bupa, a UK health insurer, has been fined £175,000 by the Information Commissioner’s Office (ICO) for not implementing robust security measures, leading to a data breach in 2017 where an employee extracted and sold the personal data of 547,000 customers on the dark web. The employee transferred bulk data reports, containing sensitive information, to his personal email before the data was discovered for sale on a subsequently shut-down dark web platform with over 400,000 users.
Finally, it’s important to outline your plan for the implementation of the IRP. Make sure to Include timelines, resource allocation, and measures to address potential challenges. Emphasise the importance of employee engagement and how fostering a culture of security and trust within the organisation is a key part of the process.
Communicating the Insider Risk Programme
Effective communication is the cornerstone of successfully implementing your IRP. It’s not just about informing your staff or contractors that the programme is happening – it’s about explaining why it is important and involving them in the process.
At Signpost Six, we believe education plays a vital role here. It’s crucial that your employees understand the risks that insider incidents can pose and how the IRP works to mitigate these. By fostering a culture of awareness, you can help your team see that the IRP is there to protect and support them.
To promote this culture of awareness, it’s also vital to maintain open lines of communication. Encourage questions and feedback, and keep everyone updated on any changes or improvements to the programme. This way, you can ensure that everyone feels included and valued in the process.
Did you know in 97% of insider sabotage cases, peers and supervisors were aware of red flags?
Positioning Your Insider Risk Programme with Employees
When you begin to introduce your programme, it’s important to frame it correctly. It should be made clear to all employees that it is not about keeping tabs on every employee out of mistrust, but about maintaining the security of the organisation and the privacy of its staff. Discuss the benefits of the IRP, such as its role in preventing data breaches and protecting sensitive information, and how this security extends to each individual within the company. This can also be facilitated by introducing e-learnings on insider risk to the entire company, as these will further amplify employees’ awareness levels and ability to recognise red flags.
Additionally, it’s important to underline that Insider Risk Programmes should be designed with GDPR and other relevant regulations in mind. Privacy is not being compromised; it’s being safeguarded.
Conclusion
An effective Insider Risk Programme is not merely a measure of corporate defence but a testament to an organisation’s commitment to its employees’ privacy and the integrity of its data. Constructive communication of the IRP, both to superiors and employees, can break down the stigma associated with insider risks and foster a culture of security, trust, and mutual respect. Framing the IRP as a protective measure, not as a surveillance tool, and demonstrating its compliance with GDPR and other regulations can encourage understanding, acceptance, and active engagement at all levels within the organisation.
Authors
Lucas Seewald
Marketing Specialist
lucas.seewald@signpostsix.com
Lucile Renhas
Consultant
lucile@signpostsix.com