Many companies are concerned by the uptick in insider risk that’s come with the work-from-home boom. By one estimate, 58% of office workers work from home at least one day a week. This trend creates blind spots for companies. Managers see their employees less often, people work off network and on personal devices, and they keep schedules that don’t adhere to the previous more predictable hours.
The security costs of work from home are real. A recent report from IBM estimates that a breach costs $1+m more if most employees work remotely. However, it’s hard to turn back the clock. While some companies have set a hard line and required people to come back to the office, many have come to the realization that at least some location flexibility is likely here to stay. This raises the bar for insider risk management.
Remote work and working-from-home have increased use of employee monitoring software and have led to managers and HR teams wrestling with how to ensure their distributed workforce is productive and data is secure. These developments have implications for insider risk management. With the right approach, companies can become more productive and safer.
Productivity In a Work-From-Home Era
Largely outside of the realm of insider risk management is a new focus on understanding productivity. Many companies are starting to implement workforce behavior, or monitoring software, to better understand what their workforce is doing when they are working remotely. The best implementations are transparent and proactive. Rather than using monitoring as a surveillance tool, forward-thinking companies are using it to create a better culture across remote teams.
For insider risk professionals, this might seem counter-productive, but it’s not. Poorly implemented employee monitoring has been proven to hurt a company’s culture, not help it, and that can actually increase risk. Surveillance-based monitoring can create the conditions that remove the burden of responsibility from the employee, and have them be more likely to break the rules.
However, a company with a strong culture that supports workers increases an employee’s sense of moral responsibility. Making it clear that it is up to employees and management to protect the organization and its customers helps draft workers to be part of the solution in addressing risk.
Here’s how it works
- Create a good communication plan – Communicating with employees makes them more trusting. Gartner notes that to ensure that monitoring increases productivity, tailor communication to individual roles, or even specific individuals. For example, call center employees might be subject to more monitoring, and might need a more detailed understanding of what to expect. It’s also better to empower managers to roll out the information to make it feel less “corporate.”
- Implement analytics-based monitoring software – Using tools that simply monitor keystrokes and mouse movement are not going to provide the rich insights companies need to get ahead of issues. Rather, companies need technology that can create a baseline understanding of each worker and spot early signs of divergence, such as more negative language, access from a new device, etc.
- Be proactive – When issues are spotted early, there’s a chance to make an improvement. For example, a manager might be able to resolve an issue with a disgruntled employee before there’s a real risk. Another manager might uncover that their team is burdened by a complex process that can be improved. By reaching out and resolving issues rather than just fighting fires, companies create more trust and reduce risk.
Including Insider Risk
It’s important that insider risk stakeholders work hand-in-hand with HR and executive management to have a cohesive plan in place. The right insider risk approach supports a push for a more productive and participatory culture, it does not undermine it.
One way to do this is for insider risk stakeholders to create a task force with people from other teams. Together, the team can create an action plan for any issues that arise. For more minor issues, perhaps HR or direct managers handle directly, but report to insider risk for additional monitoring. For larger issues, insider risk plays a larger role, but still follows communication best practices to ensure that the company culture is supported. For any threats that arise, monitoring can be used to record information and make a case, while the team works together to minimize the effect on the wider company.
Insider risk can be thought of as an important part of a larger strategy that smart companies are implementing – to maximize productivity and increase security for their distributed workforce. A major element of productivity is safety, which is a two way street. When employees feel cared for, they are actually less likely to create risks for their organizations, and when organizations focus on productivity, they create a culture of trust. This virtuous cycle can help insider risk stakeholders succeed in this work from anywhere world.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.