With the recent Okta breach and other high-profile breaches caused by insider threat scenarios, many of us in cybersecurity are asking the question: “What can we do to reduce the insider threat risk?”
Most of the recent articles I’ve read are written from the perspective of the cybersecurity professional and focus on security measures; almost dismissing the employee side of the equation with such verbiage as “other than keep our employees happy, what can we do . . .?” While security measures such as multi-factor authentication, AI-enabled anomaly detection, and user behavior analytics are necessary and appropriate, I would argue positive, proactive employee-focused efforts are both the starting point and the core of the insider threat defense.
Three factors that will substantially reduce the insider-threat risk, and pay handsome dividends in other areas such as productivity and employee satisfaction, are:
- The perception that my boss cares about me
- A sense of connectedness or belonging to the organization
- An effective vetting and hiring process
My Boss Cares. This factor is both the simplest and for some, the most difficult. Put simply, you can’t fake caring. Team members know whether the boss cares or not. A multitude of research indicates the single most important factor in employee satisfaction is the relationship with one’s immediate supervisor. A misconception is to equate caring with warm and fuzzy; while some caring bosses are warm and personable, it is entirely possible to be both caring and tough. High standards, a strong sense of purpose and direction, and honest and well-considered feedback – including difficult conversations – are hallmarks of a boss who cares.
If you can’t fake caring, can you learn caring? I believe it’s possible to learn to care at least to a degree, if a sincere desire exists. A more common scenario, especially among new managers and those in technical occupations, is learning to more fully demonstrate a caring attitude. From my own experience and from years of observation, this is very doable, as they say: ‘practice makes perfect.’ Over time and with effort, it can become far more natural and consistent to demonstrate caring.
Organizational Connectedness. Many workplace elements and trends work against a sense of connectedness to the organization – remote work, virtual teams, increasing reliance on contractors, and shorter average tenure – not to mention COVID – all contribute to a reduced sense of belonging. We’ve already covered one factor that increases a sense of organizational connectedness – the perception of a caring boss. Another factor is a shared sense of purpose. That purpose need not be a save-the-world crusade, but it must be clearly articulated and be something team members can get behind.
A host of programs and activities also can be undertaken to increase the sense of connectedness: informational, such as newsletters or blogs; activities, such as parties and theme-days; and many other types of corporate team building programs. Such programs and activities will appeal more to some and less to others; it’s less important exactly what is done than that something is done.
Hiring Process. If positive employee-focused efforts are the starting point of reduced insider threat risk, then hiring is the starting point of positive employee-focused efforts. Three points that contribute to successful hiring are:
- A structured vetting process that addresses the whole person – not just technical expertise or job qualifications, but soft skills, work style, interpersonal relations, etc.
- A team approach to hiring; involving additional team members in the interviewing and hiring process and seeking consensus contributes greatly to successful placements.
- Trusting your instincts in the vetting process; we seek objective measures, but some subjectivity can be beneficial – if it doesn’t feel right, proceed with great caution. Seeking additional input and consensus can be very valuable.
I’ve found over the years that in nearly all cases when something goes seriously wrong with an employee, there was a previous warning flag, even if I couldn’t quite put my finger on it. While I’m aware of no statistics, and it would frankly be difficult to measure, I suspect it’s also true that in most cases of insider-threat breaches, warning flags were present, and often long before the incident.
These factors – the perception of a caring boss, a sense of organizational connectedness, and an effective hiring process – won’t eliminate the insider-threat risk, but they will greatly reduce the risk; probably by a factor of at least three, and cybersecurity is all about reducing risk.
