Insider risk can occur anywhere in a company, by anyone. It could come from stealing from former disgruntled employees artificial intelligence trade secrets or someone poached by a competitor who design secrets for mobile chips on the way out. It could even come from the C-suite, as one company recently discovered when the CFO accidentally shared a document titled “Restructuring” with the entire company. Accidental exposure to data could cause concern among employees, or even lead to filing of the U.S. Securities and Exchange Commission (SEC) Regulation Fair Disclosure (Reg FD) requirements for public companies, if the leaked data could affect shareholders .
For the security team, it may be inappropriate to take a combative approach — intended for outside threats — with a CFO over an inadvertent data sharing. There is a better way.
An Empathetic Approach to Employee Surveys
The way we should approach an external risk, such as malware, versus that of insiders is very different.
There are many factors to consider when managing insider risk, especially as they relate to the desired business outcome. Insider investigations should not be the sole purview of the security team and often require the involvement of security, HR and legal. According to Gartner“Survey data…indicates that over 50% of insider incidents are not malicious,” meaning the employee at the root of the incident was usually just trying to get their job done, made a mistake, or took a shortcut to take. Treating them as if their actions were intentionally malicious is the wrong approach and can backfire. Those involved in the investigation must be empathetic without judgment. Otherwise, the risk of that employee making the same mistake again or becoming dissatisfied and disenfranchised increases significantly.
Approaching insider investigations with empathy requires a psychological shift. It is the first step to build trust so that the best result for the organization can be achieved. Here are five key elements of an empathetic approach to insider research:
- Connect to understand: When an event happens, the first contact can be as casual as, “Hey, we noticed you moved a document to your personal cloud account. Did you want to do that?” Their response will often come as a surprise, because it was a mistake, or they didn’t know it wasn’t allowed. They might just have to get to work, and this was the quickest way.
- Explore unconscious biases: All people have conscious and unconscious biases that influence our actions and decisions. The HR team can help other stakeholders investigate and work to reduce these biases. It is important to treat all individuals equally, whether they are co-workers, the CEO, or someone in a group or culture that is different from your own.
- Reassuring to support partnership: If the event was a mistake, let the employee know they’re not in trouble. It is likely that the employee thinks so and wonders if he could lose his job. It is a natural human instinct to become defensive and deny behavior. Reassure them that this event can be reversed and that you are here to help. It’s more likely that they’ll be honest about what they were trying to do and that you’ll be in a better position to help — and recover any exposed or leaked data.
- Teaching: In the event of a negligent or accidental incident, it is important to provide the employee with information on the appropriate course of action in the future. Guidance at the time of the mistake has a lot of impact and is remembered better than, for example, an annual training session. You can amplify the conversation with short one to three minute videos about a specific situation.
- Take action: It’s important to approach any investigation with empathy, but there’s always a section of insider breaches that are truly malicious. In these cases, documentation is important. If the employee has been determined to have intentionally taken risky action – and if it is clear that they pose an ongoing risk to the organization and its data – then it is time to bring together all key stakeholders from security, HR and legal affairs to create a recommended course of action to the executive team.
By approaching insider surveys with empathy, you build a culture of trust, open communication and respect. It builds and maintains a positive security culture, and best of all, it helps keep your organization’s most valuable data safe and secure.
This content is produced by Insights, the custom content arm of MIT Technology Review. It was not written by the editors of MIT Technology Review.