"Where people risk is concerned, there seems to be a blind spot."
Rachael Brassey, HR consulting, and Bill Windle, cyber security consulting, PA Consulting Group
Rachael Brassey and Bill WindleEvaluation Centre1 November 2011
The insider threat, whereby an employee acts – knowingly or unknowingly – in a counterproductive way to cause significant damage to their organisation, has become a key risk for companies around the world.
Partly this is driven by the greater access individuals have to critical information and systems as organisations become more and more connected. In addition, ever more sophisticated methods of carrying out a cyber attack and the availability of more outlets for leaking information are increasing the threat.
To help manage this insider threat, organisations employ good security people; systems log behaviour ranging from physical access to the use of IT systems; and software monitoring tools analyse the logs and generate alerts.
Yet, in many cases, this is not working: there are frequent reports of successful attacks on the same organisations that deploy all these defences. Where people risk is concerned, there seems to be a blind spot.
However, one way organisations can significantly reduce opportunistic crime or counter-productive behaviour by insiders and manage their people risk is through ‘protective monitoring’.
Protective monitoring encourages people to take the right course of action and helps detect potentially risky behaviour before it causes significant damage. Done well, it commands the support of employees, engenders a strong security culture and delivers a valuable business differentiator.Protective monitoring encourages people to take the right course of action and helps detect potentially risky behaviour before it causes significant damage. Done well, it commands the support of employees, engenders a strong security culture and delivers a valuable business differentiator.
There are three key elements to implementing effective protective monitoring. Firstly, you must manage four things well:
1. Assets – such as reputation, employees, computers, property and data
2. The identity of employees
3. Employees’ time – when they take actions and for how long
4. The volume of transactions.
All this must be done in the context of people’s roles and the business; context is key here since it informs sensible and insightful business rules that produce meaningful alerts. Often the most valuable rules are not obvious and can significantly benefit from expert input.
Secondly, organisations need to use behavioural anomalies identified in historical data to focus real-time monitoring on the areas or people who pose the highest risks. Effectively, this enables you to use hindsight to predict where your people risks are most likely to reside – and focus their monitoring accordingly.
Thirdly, organisations need to integrate across the relevant business and security functions so that anomalies in employee behaviour are not kept hidden within silos. By making people-risk a clearly accountable responsibility of HR – since HR is the primary but often unrecognised internal customer for behavioural monitoring – organisations will not only gain significant internal clarity on governance but also sharper focus in their day-to-day monitoring requirements, improved people risk management and stronger ownership of this critical capability.
Of course, all protective monitoring must comply with regulatory frameworks (legal, ethical and so on) and be publicised internally so that employees are aware that it is in place and part of everyday business. At the same time, monitoring must remain unpredictable so it cannot be easily circumvented.
PA is currently working with the UK Government’s Centre for Protection of National Infrastructure (CPNI) to help develop new national guidance on managing people, physical and cyber risk. This guidance will help UK organisations to reduce counterproductive behaviour.
Rachael Brassey specialises in HR & payroll transformation. Bill Windle is a cyber security expert.