Imagine the following scenario: you work with a colleague who everyone sees as a problem. This individual complains about the direction of the company, unfair treatment, and even vocalizes personal financial struggles. People have come to expect this kind of negative behavior from him. One day, though, you overhear this disruptive co-worker say something out of the ordinary, even for him. He’s discussing ways to copy and sell intellectual property to a competitor for a little extra money.
What would you do in this situation? Would you report it? Who would you tell? Are there any safeguards in place for someone who reports these incidents?
If your organization is like many others, there’s no clear answer for who to alert and how to handle reporting. Even if you report any suspicious behavior, often the person receiving the information doesn’t know what to do next.
People are the Best (or Worst?) Insider Threat Alerts
Many organizations rely on technology to identify malicious activity, but these solutions are typically designed to detect external threat actors. Technology alone can’t catch all insider threat attempts. People are the first, and arguably best, line of defense to provide insider threat alerts. So why do so few organizations collect data points from the observations of their workers?
The answer is simple. It can be difficult to solicit information from the workforce because people tend to shy away from conflict. They don’t want to put themselves in harm’s way, and there are many risks involved.
What if they report a co-worker for suspicious behavior when they weren’t actually doing anything wrong, or they misheard the conversation? What if the co-worker finds out who reported them? What if the co-worker loses his or her job?
That’s why it’s essential that organizations have an insider threat-knowledgeable workforce that is trained on how to act. Employees need to know what an insider threat is, key indicators linked to insider threat acts, and a trustworthy structure for safely reporting suspicious activities.
The Difference Between Anonymous and Confidential Reporting
To address the challenge of gathering workers’ observations, information security best practices point to two reporting solutions – anonymous and confidential.
Anonymous reporting occurs when people submit an observation without anybody realizing it was them. One example we’ve seen of anonymous reporting is a simple, small wooden box in the breakroom where workers can submit a typed piece of paper with comments on it. Usually the box is checked on a weekly basis by a person responsible for collecting inputs. An example of confidential reporting is when users email observations from a non-work email address to a secure inbox that can only be accessed by appropriate personnel.
You might be wondering which reporting approach is better – anonymous or confidential. Confidential reporting is the preferred means to communicate potential insider threat behavior. Anonymous reporting can provide the highest degree of protection to the reporter, but does not provide the organization a means to gain additional clarity. Confidential reporting ensures the reporter will not be identified but gives the organization a way to reach out for more information if needed.
Summary
Setting up a method for confidential reporting, educating your workforce on how to practice confidential reporting, and informing people on how the information may be used can encourage your workers to report suspicious behavior.
To learn more about insider threats, save your seat for our upcoming webinar, “Insider Threat Prevention: Unmasking Your Hidden Risks.” This discussion will cover differences between malicious and unintentional insider threats, and the building blocks of an effective insider threat program.