At various times in any insider threat program, there inevitably will be shortcomings in governance, gaps in detection, difficulties tying data to a threat and substandard responses.
So what’s the best fail-safe when those other important program capabilities fall short? Deterrence.
Deterrence is one of the lowest-cost ways decrease the threat that malicious and negligent insiders pose to your organization. Because it is often viewed simply as a dull or awkward communications and training function, it rarely gets a second look.
Here at the halfway point of Insider Threat Awareness Month, however, we think it’s worth challenging your insider threat program managers to give deterrence a chance.
Below are six strategies for how you can make your deterrence strategy more innovative and effective.
- Training isn’t the only answer. Many think deterrence just means more training. If your answer to every problem at the organization is to hold a training session, throwing another one on top of the pile is unlikely to succeed. Think about other strategies like those mentioned in the webinar link at the bottom of this post (clip 43:01 – 46:53). There’s so much more to deterrence than training.
- Make it a juicy story. Share stories that are relevant and Just like people rubberneck when they drive past an accident, they have a hard time not participating and engaging when there’s a compelling story on the table. Talk about cases where people were caught in acts that highlight the effectiveness of your insider threat program. This can be anything from group emails to putting up awareness posters in the restrooms to ‘public service announcement’ at the beginning of a virtual meeting.
- Survey your employees about how seriously their managers take insider threats. Not many people feel strongly about an insider threat program unless they have seen positive changes because of it. And chances are that positive impact won’t happen for all your managers. But you can artificially increase that impact by acknowledging managers who score highly, or counsel those that aren’t taking it seriously.
- Don’t just threaten potential insiders. Research shows that if you can appeal to someone’s desire not to be an insider threat, it’s almost as effective as someone knowing that they are being watched. Meaning that messages like “losing information isn’t only costing the company millions, it’s compromising your coworkers’ life work” can be just as effective as installing a highly sophisticated (and expensive) monitoring system.
- Message your insider threat program. Be deliberate about the way you message the program to the organization. A short clip from the deterrence webinar below (15:23 – 17:34) talks about all aspects of a deterrence program and how you might think about messaging it.
- Have an offboarding process, and don’t deviate from it. Rarely do people leave a company (voluntarily or otherwise) feeling 100% positive about their experience. Offboarding is a time to communicate expectations and create physical boundaries to sever ties amicably and professionally.
Deterrence is so much more than training. And every deterrence strategy is going to look a little different depending on what your corporate culture looks like. For more information and ideas about how you can make your employees more resilient, aware and prepared for the risks posed by insider threats, check out our recent webinar on deterrence here.
# # #
Note: For a compelling (and juicy) story about a formerly high-flying corporate exec who becomes a malicious insider, download a free copy of our paper To Catch an IP Thief here.