Insider threats are on the rise and firms are doing more to stop them, according to a new report from Forrester Research. But it warns that insider threat programs can hurt employee engagement and productivity.
One of the ways companies are trying to curtail insider threats is by analyzing employee personal data to better detect suspicious or risky behavior. But IT security may go overboard in its collection process, security may be too stringent, and practices such as social media monitoring might “lead to eroded employee trust,” Forrester warns.
An insider threat program can turn adversarial, impacting employees in negative ways. It’s up to HR to work with IT security to provide the checks and balances, said Joseph Blankenship, vice president and research director of security and risk at Forrester.
Blankenship further discussed project delays in this Q&A. His responses were edited for clarity and length.
Insider threats are increasing. In 2015, malicious insiders accounted for about 26% of internal data breaches. And in 2019, it was 48%, according to Forrester’s survey data. Why this increase?
Joseph Blankenship: I think it’s twofold. You have the ability for users to monetize data and move data in large quantities like they’ve never had before. The ease of moving that data — and the portability of that data — is one factor. The other big factor is we’re looking for [threats] more often. The tools are better. Whenever we see a new capability for threat detection, that’s usually the period when we see this increase [in discovered incidents].
Nonetheless, this must be a stunning finding for a lot of firms. How do they respond to it?
Blankenship: Probably like the stages of grief. We see that pattern quite a bit in security. An event happens, and we realized we are at risk for that event happening again. So now we put effort behind it. We put budget behind it, we buy technology, we build a program and things improve.
Accidental release of internal data accounted for 43% of all insider incidents. What does that say about training?
Blankenship: It’s also culture. Do employees actually understand why the [security] policy is there? Some of that is people trying to get around policies. They find that the security policy is restrictive. You see some of that when people decide to work on their own laptop and their laptop gets stolen. It’s usually people that are somewhat well-meaning, but they find that the policy is getting in their way. Those are all mistakes. Those are all policy violations.
Who is responsible in a company for ensuring that the employees understand the rules?
Blankenship: Typically it’s the CISO’s responsibility to do this kind of security education.
Is this primarily the job of the IT security department?
Blankenship: Certainly, it’s in partnership with human resources.
IT manages the internal security program, but many of the risks from an insider threat program are HR-related such as increased turnover or hiring. The HR department’s metrics suffer if the program creates employee friction. Is that the case?
Blankenship: I don’t think that’s necessarily the case. You have to make the employee aware: ‘Hey, we’re doing this kind of monitoring because we have important customer data. We can’t afford a breach of customer trust. We’re doing this monitoring because we have intellectual property.’ Things become a lot less scary, a lot less onerous, when people understand the reasons why. If it’s too heavy-handed, if we’re doing things to either punish employees or make their jobs really difficult, it does create that adversarial relationship.
What is the best practice here? Should HR or IT spell out exactly what they do to protect company security?
Blankenship: I don’t know if you get into all the specifics of a security program, but make the employees aware. ‘We’re going to be monitoring things like email. We may be monitoring your computer usage.’
What is HR’s role in helping the company implement these policies?
Joseph BlankenshipVice president and research director, Forrester Research
Blankenship: Because HR is the part of the company responsible for employee experience, it is very much incumbent on them to work with the security department and keep it a little bit honest. I’m sure there are a lot of security folks that would love to really turn up the dial on security policies. If you remember some years ago, the big debate was should we allow personal internet usage on company issued devices. There were lots of security reasons why we would say, ‘absolutely not.’ However, the employee experience dictated that we had to allow some of that activity, otherwise we wouldn’t be able to recruit any new employees. We really had to find the balance.
It sounds as if HR’s responsibility here is to provide some checks and balances.
Blankenship: There’s checks and balances as well as helping [IT security] to design the education program. There’s probably not a lot of security technologists that are amazing at building culture, but that is absolutely the job of good HR professionals.