This is the second article in a four-part series focused on proactively managing corporate security culture and workforce expectations as your organization prepares to manage insider risk.
In Part 1 of this series, GPSG’s insider threat risk team introduced its workforce investment strategy and provided actionable steps for explaining to your workforce why you are including insider threats in your risk calculus, read more here.
Communicate Your Insider Risk Program to Your Workforce
After sensitizing the idea of insider risk management to your workforce, how can you be straightforward and upfront with them about how you plan to establish and subsequently enforce new policy or monitoring changes to your enterprise security plan?
The second step in GPSG’s workforce investment strategy is to proactively seek ways to manage and be upfront with your workforce about what you are doing to manage insider risk, including:
1. Offer in person meetings and email to help address questions on the spot and clear up misconceptions about your organization’s insider risk management approach as early as possible.
2. Let them know if you are exploring employee monitoring software. Clarify who will have access to the monitoring capabilities and subsequent analysis. Be clear if you intend on alerting a manager each time an employee violates a data policy or if there will be warnings given in advance of such action.
3. Let them know if you plan to review or limit accesses. It makes sense that you would restrict access to sensitive data to certain employees.
4. Include insider risk in your enterprise cyber and security training. Just like cybersecurity should be viewed as a corporate responsibility, not just the responsibility of the IT department, insider risk management is everyone’s responsibility.
5. Let them know if you plan to establish any new policies. Be sure to address how they will be communicated, how they will be enforced, and who will be responsible for enforcing them.
These actionable recommendations help steer the conversation for your insider threat program and answer initial workforce questions early on about why your organization feels compelled to address this critical enterprise security issue.
Stay tuned for the third installment in this four-part series, which covers explaining the benefits of insider risk management for the workforce or the ‘what’s in it for them?’, coming soon.
Contact GPSG today for a free insider threat risk management consultation at cyberteam@gpsg.co