Five million dollars. That’s how much an insider risk event could have cost one company when proprietary source code was exfiltrated by a software engineer who recently resigned. In this case, the file movement was detected and never left the company, but without the proper security measures, this scenario could have been much worse.
The uptick in employees taking sensitive data, presentations and customer lists with them when they quit is one of the many residual effects of the Great Resignation and shift to hybrid-remote work. The Great Resignation served as a catalyst for departing employees to unknowingly expose, leak or exfiltrate intellectual property (IP), something many organizations weren’t prepared for. At the same time, hybrid work changed the way we collaborate and communicate, creating new opportunities for data exposure. Employees are using personal clouds, emails and unsanctioned apps more frequently to get work done and some organizations have found themselves in the dark when it comes to the movement of their data.
Employee surveillance software has become a prevalent response to these new conditions, with demand for the technology 54% higher than before the pandemic began. Companies gravitate towards these invasive tools because they believe they give them visibility into their data. Not only do they monitor employee keystrokes, but also website visitations, file downloads and email attachments. These kinds of tools are not an effective way to minimize insider risk. Rather, they perpetuate a larger culture of distrust between a company and its employees — one that only contributes further to the problem.
Employees whose companies are using these technologies cite feeling like their company is violating their privacy, resulting in disengagement, “quiet quitting,” and an overall decrease in employee morale with a high increase in turnover. While the solutions may have been implemented to monitor performance or to track assets, surveillance tech lacks transparency and compromises the trust and collaboration necessary to build a culture of security.
When it comes to managing and preventing data exposure by employees, surveillance tech is not the solution. Instead, companies need to build a security-aware culture that establishes data ownership policies and empowers employees to do their part to protect the company. Creating this culture leads to every employee taking responsibility for security and encourages them to speak up. With an established level of trust, employees will reach out to security teams when they see something that might not be secure, and they are more likely to ask security for help when they feel as though they are taking a risky action that may violate a security policy. To do this, security teams and leaders need to create a culture that is built on trust and empathy, empowering employees while also keeping data safe and teams on track:
1. Establish an acceptable use policy
To avoid employees unknowingly exposing data, they first need to understand acceptable — or unacceptable — uses of data and how their employer is watching data move. Define what data belongs to the business and what belongs to employees. Today, employees feel a much greater sense of ownership of their work, feeling it belongs to them as opposed to their company, which is why we see so many employees taking data with them when they leave. Make sure to communicate this ownership during onboarding and again during offboarding.
2. Build a culture of empathy and trust
When employees move data to personal clouds or use their personal email, it is often unintentional. In fact, more than 75% of insider data breaches have been considered non-malicious. The goal of an insider risk program should not be to “catch” employees, but to better educate and guide them. When data is exposed, approach the investigation assuming the user’s intent was positive and provide awareness education in the moment so the impact is longer lasting.
3. Educate consistently
Security teams need to make employees part of the solution, training them on the proper ways to share and handle data from the start. Training needs to be consistent and ongoing. Look to incorporate insider risk training throughout an employee’s daily workflow. For instance, if an employee tries to send themselves a personal email containing company IP, a short video reminder that pops up on their screen to explain that what they are doing is a security risk can be effective in creating lasting positive habits.
4. Establish what is risky vs. noise
Only a small amount of data movement will actually pose a serious risk to companies. Employees, on the other hand, create thousands of data events in a day. Security teams should have ways to see all data movement so they can better define what “bad” data movement actually looks like to cut through the noise and identify indicators of true risk.
5. Update data protection tech
Outdated data loss prevention tools can no longer keep up today’s modern, cloud-reliant workforce. Organizations need technology that can see movement across cloud apps, will automate security alerts and prioritize insider risk concerns. Look for data protection technology that can tell the difference between trusted and untrusted locations and cloud domains.
Security culture relies on the entire organization
A good security culture starts with a security team that is willing to enable the organization to get their job done. Security teams need to build programs in a way that doesn't erode trust. The solution won’t lie in intrusive monitoring of employees' every action in order to protect company data. When it comes to managing and minimizing insider risk, there is no place for surveillance technologies. It’s not an effective solution and compromises the culture of trust that is necessary to build out successful security practices.
By establishing a data protection program based in trust and transparency, security teams promote collaboration and innovation among all levels of the business, while still having the visibility needed to monitor for risks.