Modern security requires a compassion-first approach to insiders

An insider threat can happen to anyone, anywhere in an organization. It could come from a disgruntled former employee who stole artificial intelligence trade secrets, or someone who took mobile chip design secrets when a competitor walked out the door. One company recently learned that when the CFO accidentally shared a “restructuring” document with the entire company, it could even come from the C-suite. Inadvertent disclosures can create employee uncertainty and even trigger the U.S. Securities and Exchange Commission’s (SEC) Fair Disclosure (Reg FD) filing requirements for public companies, where disclosures can harm shareholders.

For the security team, it may not be appropriate to take a combative approach with the CFO over unintended data sharing. There is a better way.

An emotional approach to labor investigations

The way we approach external threats is very different from insiders, like malware, for example.

There are many factors to consider when managing internal risk, especially as it relates to the desired business outcome. Internal investigations should not fall solely under the control of the security team and often require the cooperation of security, HR and legal. According to Gartner, “survey data…more than 50% of insider incidents are non-malicious,” meaning that often the cause of the problem was an employee simply trying to do their job, making a mistake, or taking a shortcut. Treating their actions as intentionally malicious is the wrong approach and can backfire. Those involved in the investigation must take a compassionate, nonjudgmental approach. Otherwise, the risk of that employee making the same mistake again or becoming frustrated and disenfranchised increases significantly.

Emotionally approaching introspection requires a psychological shift. It is the first step to build trust, so the best results for the organization can be achieved. Here are five important things for insider inspections

• Connect to understand. When an incident occurs, the first response might be something as simple as, “Hey, we noticed you moved a document to your personal cloud account. Do you want to do this?” Their response is often surprising, because it was a mistake, or they didn’t realize it wasn’t allowed. Maybe they just needed to do a job, and this was the fastest way.
• Explore unconscious bias. All people have conscious and unconscious biases that influence our actions and decisions. The HR team can have other stakeholders examine these biases and work to mitigate them. It is important to treat all individuals equally, whether they are peers, the CEO, or someone in a different group or culture than you.
• Confirm to support the partnership: If the event is wrong, let the employee know that they are not in trouble. Perhaps the employee believes they are and wonders if they could lose their job. Being defensive and denying behavior is a natural human instinct. Reassure them that this incident is reversible and that you are here to help. They’re more likely to be honest about what they’re trying to do and you’ll be in a better position to help — and recover any exposed or leaked information.
• learn In the event of negligence or an emergency, it is important to provide information to the employee for the next correct action. The instruction given when the error occurs is more effective and more memorable, for example, than the annual training session. You can reinforce the discussion with a short one to three minute video about a specific situation.
• Take action. It is important to approach every investigation with compassion, but there is always a portion of insider violations. In these cases, documents are important. If it is determined that the employee took an intentionally risky action and that they present an ongoing risk to the organization and its data – it is time to bring together all key stakeholders from security, HR and legal to provide a recommended course of action. The executive team.

Approaching introspection helps build a culture of trust, open communication and respect. It builds and promotes a positive security culture—and most importantly, helps keep your organization’s most valuable data safe and secure.

This content was produced by Insights, the custom content arm of MIT Technology Review. It is not written by the MIT Technology Review editorial staff.