By Jason Bero, Privacy, Risk and Compliance Officer, Microsoft Canada
Long before the days I began my career in technology, I was a warehouse manager at a large retail chain. During the onboarding training, as warehouse managers, we learned about a very concerning topic: employee theft and fraud. Did you know that 75 per cent of all employees in retail commit some form of employee theft in their career? Annually, retail chains lose upwards of 5 per cent of its total revenue due to employee theft or fraud. At the time, I personally found these statistics astounding and somewhat improbable. I never fully believed that inside theft was that big a problem and viewed the dated educational videos more as propaganda of fear, than based on reality. It wasn’t until much later that I understood the reason for having more security cameras in the warehouse than in the front show rooms.
Fast forward many years later – the risk of outside threats has increased, the mishandling of internal assets is prominent, and inside access to knowledge and assets has led to more risk than ever before. From incidences within government agencies, sly dogs at car manufacturers or COVID-19 intelligence fraud taking place, the number of growing front-page news stories about this should be proof. In fact, insider threat and risk incidents have increased, and in 2020, malicious insiders made up 43 per cent of internal data breaches, according to a report from Forrester.
Where do you start?
Ahead of technology, comes good old fashion employee awareness, training and policies. Any CISO would agree that this is the best starting point to a sound risk posture. However, in most cases of insider risk, education alone cannot solve the problem. “You can educate your people on what is bad, but you cannot educate someone that simply chooses to ignore the consequence” – this is where organizations must leverage technology to help with sound data classification, information protection and insider risk management.
The first step in any risk program starts with people and their processes. Next, once understanding the physical landscape, it is just as important to understand the digital landscape:
- What is important to us?
- Where does it reside?
- Can and how do we protect it?
- How can we monitor its lifecycle?
- How do we ensure its integrity?
Minimizing risk in any organization starts with understanding the types of risk found in the work environment. Some are driven by external events that are outside the boundary of direct control. Other risks are driven internally that can be minimized and/or avoided altogether. Some specific examples are risks from illegal, inappropriate, unauthorized or unethical behaviour and actions by users in your organization. These behaviours could include:
- Leaks of sensitive data and data spillage
- Misappropriate handling of personally identifiable information
- Confidentiality violations
- Intellectual property theft
- Insider trading
This is where tools such as Microsoft Insider Risk Management and Communications Compliance can help. These solutions are built right within Microsoft 365 and help minimize internal risks by enabling security or review teams to detect, investigate, and act on malicious and inadvertent activities in your organization while maintaining transparency and the balance of end user privacy. By connecting to the logs within Microsoft 365 and the Microsoft Graph, insider risk management allows you to define specific policies to identify risk indicators. These policies allow you to identify risky activities and to act to mitigate these risks.
The tools are centered around the following four principles:
- Transparency: Empowering organizations with the balance of end user privacy versus organizational risk.
- Configurable: Customizable policies based on industry and business groups.
- Integrated: Integrated workflows across the many Microsoft 365 and external third-party service platforms.
- Actionable: Provides insights to enable reviewers with notifications, data investigations, and eventual end user investigations.
Before getting started with any insider risk management technology, there are important planning activities and considerations to review by your information technology, security, and compliance management teams. Risk management is never a solo sport. To learn more about best practices for insider risk management, visit Best Practices for Insider Risk Management and listen to Uncovering Hidden Risks podcast to learn more about the various risks that organizations face.