This is the first article in a series focused on proactively managing corporate security culture and workforce expectations as your organization prepares to prevent, detect, and respond to insider risk incidents.
Your organization faces insider risk every day. The average cost of an incident over a 12-month period is $8.76 million, according to a recent Ponemon Institute study.

Introducing the idea of insider threat risk management to your workforce and enterprise risk planning agenda can be challenging. Your insider risk management plan may be met with a lack of workforce understanding of proposed policy changes, concern that it is going to set up ‘security speed bumps’ that impede workflows, or fear that it will invade their privacy. This means that the onus is on you to determine how to get your organization’s risk management naysayers onboard your well-intentioned security vessel.

How can your organization introduce the idea of insider risk management to the workforce with as much transparency and inclusivity as possible?

I learned the importance of bringing the workforce onboard through years of counterintelligence and insider threat mitigation in government and industry. My recommendation is an approach that:

• Explains what the workforce gets out of insider risk management
• Shows the need for managing insider risk
• Is upfront about what you are doing to manage insider risks
• Solicits workforce help in managing insider risks

The first prong in the strategy is to explain to your workforce why you are including insider risk management in your corporate security culture. Here are four actionable steps for launching this prong of the workforce investment strategy:

1. To protect your organization’s critical assets: Clearly communicate that the introduction of insider risk management to the already-existing security conversation is meant to ensure protection of your organization’s critical assets, including its most critical asset: human capital. Remind them that the impacts of an insider incident transcend stock price and shareholder value and could put the physical safety of staff and personnel at risk. Recent workplace shootings nationwide and government statistics show that fatal workplace violence is at an all-time high. Provide examples of how insider threat incidents have negatively affected other organizations. Explain how an insider incident could negatively impact your organization’s pace of operations, corporate reputation, public trust, and employee morale.

2. To raise their awareness that they may be targeted by an outsider: Inform them that every employee is a potential target of outsiders seeking to obtain sensitive data or harm your organization in another way. Explain why they might be targeted (e.g., for financial or political gain), by whom (e.g., foreign intelligence services), and how (e.g., phishing campaigns or in person). The case of Su Bin selling F-35 secrets to China shows how much effort and investment of time that a well-resourced outsider (or adversary) may be willing to exert to access your proprietary data.

3. To remind them that the security struggle is real: Share internal security stories and lessons learned with them to show that security risk is dynamic, yet manageable with careful thought, reflection, and course adjustments.

4. To clarify that an insider incident can be deliberate or unintentional: An insider incident can be malicious, careless, or merely an uninformed action conducted by well-intentioned staff, however, the potential for harm to your organization will be the same. Unintentional activities, such as sending an email to the wrong person or misconfiguring web servers, can prove costly to organizations, according to the 2018 Verizon DBIR study.
These are not the only steps you can take to explain to your workforce why you are including insider risk management in your corporate security culture. They help launch the conversation for your insider risk management program and clarify workforce confusion early on in the process about why your organization feels compelled to address the issue.

Stay tuned for the second installment in this four-part series, which covers how to proactively manage and be upfront with your workforce about what your organization is doing to manage insider risk, coming soon.