EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
The first step toward managing insider risk is to cultivate awareness of potential insider risks across the full spectrum of an organization’s activities. That awareness promotes a proactive stance toward such risks — a stance that most businesses already take toward external risks.
Several recent developments have intensified the urgency of broadening business’ approach to insider risk. One is the growth of programs organized by some governments to obtain IP by fair means or foul; the Thousand Talents Program is an example of such an effort. Another important development is the influx of employees shifting from traditional, longer-term tenure expectations at a single employer to a workforce with less organizational loyalty.
They may take a more casual view of IP integrity and information security. But the most significant development is the COVID-19 pandemic and the resulting massive shift to remote work, which has introduced a wide array of new vulnerabilities for risk managers to address. For example, remote work has sharply reduced the number of face-to-face interactions in the workplace, which often is where possibly significant changes in an employee’s behavior or attitude first appear. In place of such interactions, risk professionals have stepped up their reliance on technology-assisted behavioral assessment, applying the techniques of external security programs to insider risk.
Just as with external threats, companies cannot mitigate internal risk simply by out-designing or out-developing malicious actors. Instead, a growing number of organizations are setting up dedicated insider risk teams to aggressively address insider risk before it strikes. Typically, such teams consist of stakeholders from across the organization — including representatives from legal and compliance, HR, IT, finance and other departments — collaborating under the leadership of a single lead, who owns the program and is accountable for its performance. To an increasing extent, such dedicated organizations are responsible for acquiring the technology necessary to do their job.
Or not acquiring it, as the case may be: many organizations are discovering that some of the security tools they already have in place can be adapted to addressing insider risk. In most cases, however, organizations lack the complete array of necessary tools. Many need to supplement their existing technology with components designed expressly to detect insider risk, such as UEBA; enhancements to physical security (workplace violence, after all, remains a salient form of insider risk); and capabilities, such as CCTV coverage of photocopiers and other office equipment.
Veterans of insider risk engagements note that while many companies are effective in some aspects of insider risk management, few possess the full spectrum of necessary capabilities, skills and technology.
An effective insider risk program, however, is more than the sum of its technological features. It is a comprehensive framework that leverages technology to address insider risk along multiple dimensions. The framework enables an organization to prioritize risk mitigation activities to protect an organization’s most valuable and vulnerable data assets, and apply human judgment to distinguish between genuine threats to IP assets and “false positives” generated by random variations in data flows.