Boards working in synergy with corporate management to drive business growth — that’s the dream, right? A recent McKinsey study notes that the pandemic has brought many companies closer to this ideal relationship, as company boards of directors (BODs) have risen to the challenge during a time of crisis to guide companies during this unprecedented period. A separate McKinsey study indicates that cybersecurity has been on the board agenda for some time.
But cybersecurity is a broad topic – and not all areas of cybersecurity are created equal. Certain issues can compound over time and have long-term impact if not addressed. There is one rapidly growing cybersecurity challenge that is still flying under the radar for many organizations: insider risk.
Today’s cloud-first and hybrid workforce has shifted security leaders’ focus from insider threats to data security risks. The majority of data leaks are accidental, not malicious. But regardless of intent, data leaks jeopardize the financial, reputational, and operational well-being of a company and its employees, customers, and partners.
Greatest Strengths, Greatest Risks
The pandemic was a massive force-accelerator for insider risk. Many businesses have increasingly built competitive advantage by fostering cultures rooted in speed, agility, collaboration, and innovation, using cloud-based apps and technologies to work smarter, faster, and better.
But nine out of 10 chief information security officers (CISOs) say data-security risk has escalated since the pandemic began. Alarmingly, employees are now 85% more likely to leak or lose files with intellectual property (IP) and other valuable data than they were before the pandemic began.
Companies cannot afford to block all risky activity: the majority of this activity is everyday productivity and collaboration, critical to getting work done and empowering ingenuity and innovation.
To address insider risk, organizations must shift from policy-based to risk-based cybersecurity approaches by considering their insider risk tolerance—the delicate balance between protecting valuable data and enabling speed, collaboration, innovation.
Boards’ Growing Involvement in Cybersecurity
Boards are increasingly focused on cybersecurity, but not all boards see the full story on their organizations’ cybersecurity posture.
Executives and the board are frequently under-informed about insider risk, according to the 2021 Code42 Data Exposure Report, not least because 70% of information technology (IT) security leaders only brief the higher-ups on insider risk annually, upon request, on an ad-hoc basis—or not at all. Board members need to become literate in cybersecurity issues like insider risk and take a proactive approach to understanding and advocating for strategic prioritization of it.
“The board’s responsibility is to make sure that the executive team has a plan, is prepared, and is preparing the whole organization for the eventuality of an attack,” rather than merely reacting to every new security crisis, says Wolf Richter, a McKinsey partner who helps chief information offices (CIOs) capture the benefits and mitigate the risks of tech-enabled transformation.
Moreover, board members should see the direct connection between how insider risk is managed—and critical business outcomes. Go too light on insider risk management, and the loss of IP or other valuable business data can hurt revenue and reputation and jeopardize the company’s long-term competitive advantage. But a heavy-handed, overly constrictive approach could stifle corporate culture by impeding collaboration and innovation, limiting long-term success.
Asking The Right Questions
When it comes to insider risk, it’s up to board members to ask the right questions of their executive leadership team, including the CIO, CISO and chief executive officer (CEO). Here are some good questions to start that dialogue:
Understanding the landscape – internally and externally
- What technology trends do you anticipate impacting the future of data security for the organization and are we prepared for them?
- What external forces could most significantly shift your visibility into risk created by your employees?
- What key performance indicators (KPIs) and metrics are you using to evaluate exposure to insider threats, data loss, and theft?
- How are you reassessing the organization’s insider risk in light of recent or upcoming changes to the workforce, such as generational considerations with Gen Z entering the workforce, hybrid work, and voluntary and involuntary turnover?
Readiness in the face of an event
- What is the process for when a large-scale insider risk incident takes place?
- How will the board be notified and involved? How will you evaluate impact?
- Are you getting the right support and funding to address the insider risks within the organization?
- What level of visibility does the leadership team have into the movement of valuable data off-network and to the cloud?
Understanding impact
- How do we ensure we are going beyond the bare minimum for compliance and can feel confident that our security audits are accurately evaluating our insider risk security posture?
- What is the cost to the organization of insider risk and insider threat investigations? How long do they take? What have we learned from recent investigations?
- During the quarterly or semi-annual risk assessment, how are we evaluating the likelihood and impact of data theft across the organization?
Boards Can’t Afford to Ignore the Growing Challenge of Insider Risk
The last year represents countless watershed moments in the business world—from the way people work at the ground level to the relationship between boards and corporate management at the top.
Savvy board members recognize that enabling fast-paced, cloud-powered collaboration culture is critical to positioning companies to thrive in the new business environment. But boards must also recognize that achieving this potential hinges on a company’s ability to manage the exponentially growing insider risk that these new ways of working present.
As naturally as they ask executives, “What are we doing to support innovation?” boards must also work collaboratively to answer the question, “What are we doing to manage insider risk?”
Learn how Code42 can help your organization manage the complexity of growing insider risk.