This is the second article in a four-part series focused on proactively managing corporate security culture and workforce expectations as your organization prepares to prevent, detect, and respond to insider risk incidents. 

In Part 1 of this series, GPSG’s insider threat risk team introduced its workforce investment strategy and provided actionable steps for explaining to your workforce why you are including insider threats in your risk calculus, read more here. 

After sensitizing the idea of insider risk management to your workforce, how can you be straightforward and upfront with them about how you plan to establish and subsequently enforce new policy or monitoring changes to your enterprise security plan? 

The second step in GPSG’s workforce investment strategy is to proactively seek ways to manage and be upfront with your workforce about what you are doing to manage insider risk, including:   

1. Offer in person meetings and email to help address questions on the spot and clear up misconceptions about your organization’s insider risk management approach as early as possible.
2. Let them know if you are exploring employee monitoring software as soon as possible. Clarify who will have access to the monitoring capabilities and subsequent analysis. Be clear if you intend on alerting a manager each time an employee violates a data policy or if there will be warnings given in advance of such action.
3. Let the them know if you plan to review or limit accesses. It makes sense that you would restrict access to sensitive data to certain employees.
4. If you already have cybersecurity training at your organization, add insider risk as a topic. Just like cybersecurity should be viewed as a corporate responsibility, not just the responsibility of the IT department, insider risk management is everyone’s responsibility.
5. Let them know if you plan to establish any new policies. If so, be sure to address how they will be communicated, how they will be enforced, and who will be responsible for enforcing them.

These are not the only steps you can take to proactively manage and be upfront with your workforce about what you are doing to manage insider risk. They help steer the conversation for your program and answer initial workforce questions about why your organization feels compelled to address this critical enterprise security issue.

Stay tuned for the third installment in this four-part series, which covers explaining the benefits of insider risk management for the workforce or the ‘what’s in it for them?’, coming soon.