Archive for the ‘Insider Threat’ category

The Important Links between Culture, Risk Management, and Business Performance

August 24, 2010

Culture—often a microculture within a specific business unit or location or function—is a critical underlying component of the likelihood and severity of business misconduct. Corporate Executive Board research finds that companies with healthier cultures realize numerous benefits:

  • Their employees are two-thirds less likely to see misconduct and much more likely to report misconduct and operational failures.
  • Managers that exhibit corporate values can improve employees’ performance by 12%.
  • Their 10-year total shareholder return outperformed peers’ by 16 percentage points.

Unfortunately, three years of highly detailed data from nearly 500,000 employees at over 100 companies show that company executives have consistently rosier assessments of the health of their culture than non-executive staff. The research shows that nearly 60% of employees do not share bad news and negative feedback because they fear it will negatively impact their careers. Furthermore, employees would forego $1m to $10m in company earnings in order to avoid sharing bad news. Although these results were not specific to information security concerns, IREC believes they can be extrapolated to the security arena.

Culture, properly understood, is a risk control, and a control that impacts much more than just compliance. Making this intellectual leap helps companies understand how best to treat culture: as a measurable phenomenon. That is, critical cultural competencies should be defined, tested, and actively fostered. Companies should start by following these three simple guidelines:

  • Equip managers to deal decisively and consistently with instances of misconduct or unethical behavior;
  • Show the whole employee population—using real instances from the company—how the company deals with misconduct; and
  • Close the loop with employees who report misconduct, so they know that appropriate actions were taken.

Related Research:
Managing the Threat from Malicious Insiders
Preventing Employee Misconduct
Preventing Data Leakage


One More Prediction for 2010, But Are We Going to Heed It?

December 28, 2009

In our last post we gathered together the pundits’ predictions for 2010, but perhaps predictably (sorry), they seem to be more about a focus on surprise and novelty than actual risk-based predictions. In fact, few of these pundits even mention what is probably the greatest risk of 2010.  Even worse, even those who know what that risk is are not acting strongly enough to manage it. (more…)

Handy Resources for Responding to WSJ-Inspired Questions

September 23, 2009

Fortunately the three articles in today’s WSJ on IT Security are a lot less troublesome than those of two years ago. Nevertheless, it is a good idea to be ready to respond to questions coming out of the articles from senior executives and managers in your organization. The elevator pitch is probably,

Yes, we are well aware of these threats and have protections in place against them. I am concerned about <Vulnerability X> and I’d like to implement <Security Investment Y> to address that and reduce the risk of <Business Impact>. Can we talk about that next week?

With that in mind, here are some facts and resources that will be helpful to have handy. The articles have titles that address sources of threats, but go on to address a wide variety of related risks.  I’ll try to organize this post a little more consistently rather than respond to each article point by point. (more…)

The WSJ’s ‘IT Security’ Section

September 23, 2009

Today’s Wall Street Journal contains a special advertising section called “IT Security” paid for by the Risk and Insurance Management Society.  The two-page section doesn’t seem to be available online, but it’s fairly prominent in the print edition on pages A19 and A20.

The three articles focus on insider threat, mobile device security, and social media, but contain little that will surprise anyone who has been paying attention to the information risk landscape.  That said, several data points cited in the articles might catch the attention of your senior executives.  Here are the highlights:

Insider Threat:
Privileged insiders pose a greater threat to organizations because of their access and knowledge of how systems work.  The article cites several anecdotes to suggest this threat vector is increasing.
Key ideas/data:

  • Only one-third of data breaches attributed to insiders are unintentional in nature.
  • Data Loss Prevention tools can “identify, monitor, and protect data, alerting network administrators when select information is being e-mailed” and subsequently prevent that traffic.
  • Cyber insurance can be purchased to offset the risk of a data breach.

Mobile Security:
Lost laptops and other mobile devices can be costly and it’s important to track and secure the devices to reduce the risk.
Key ideas/data:

  • The cost of a lost laptop ranges from $8,950 to $115,849 depending on how quickly it is identified as missing. (Source: Ponemon Institute)
  • Nearly one-third of companies don’t know how many laptops were missing or stolen in 2008.

Social Media:
The rapid growth of social media tools is having an impact on businesses across the globe.  Viral videos and social networks can have both negative and positive impacts.
Key ideas/data:

  • Firms should have social media policies in place to limit the risks associated with company employees posting information to the internet.
  • “Listening” tools can gauge how (e.g. tone) and where a firm is being discussed on the Internet.

If I find a link to the material online, I’ll post it.  We’ll be back later today with a more detailed reaction and the IREC perspective.  In the meantime, Council members can check out a few of our recent resources:

Insider Threat: Managing the Threat from Malicious Insiders
Data Loss Prevention: Preventing Data Leakage
Social Media: Social media Policy Builder, Sample Corporate Social Media Policies