So, you’ve successfully detected, and then investigated a potential insider threat. You’ve learned a great deal about that user (be it an employee or a third-party contractor), including who they are, what happened, when, where, and also why, thanks to the visibility given to you by your insider threat management solution.
You’re ready to take action. The data-backed evidence you need is there, in both video and textual log form. But how do you confront the perpetrator?
The short answer is, you don’t. The reason why comes down to two things: your role-based expertise, and your overall intentions.
Know Your Role
By definition, your expertise and role as a cybersecurity professional relates primarily to cybersecurity. Any matters of personnel management, reprimanding, etc. should involve members of Human Resources and/or Legal, depending on the severity of the situation at-hand. To do otherwise may welcome undue risk upon yourself, your team, and your organization as a whole.
Intention wise, it’s more of the same. Consider the meaning of the word “confront” for a moment. It has associations that are primarily negative – when you confront someone, you’re challenging them, and welcoming a response. More often than not, that response will be anything but positive, increasing risk.
No one wants that.
How to De-Escalate the Potential for Conflict
If the way that your organization is structured demands that your cybersecurity team is responsible for the immediate conversations following an insider threat investigation, consider these handy conflict resolution tips:
Your insiders are your greatest asset, as well as your greatest risk. Their challenges, concerns, and frustrations are valuable. A little empathy can go a long way towards building trust in your efforts, the importance of cybersecurity, and improving your programs.
Think Before You Act
Not all insider threat incidents are malicious. In fact, most are accidental! Take time to consider the perspective of your insider, and how you may be able to improve policies and policy communication. You may discover that they are creating a barrier from your insiders doing what they do best – their jobs!
Be Prepared to Listen
Listening to what people have to say is a great way to de-escalate a situation. Oftentimes not feeling heard is a factor in building up tension that leads to an outburst, or built-up defenses that may re-assert negative preconceptions about things like, say, “burdensome” cybersecurity policies.
Find Agreement Points
If you can find common ground, you can find a way to move forward in a conversation.
Depending on the insider threat incident’s severity, you may want to consider providing guidance into what the user might be able to do better in future. For example: if your organization bans cloud storage apps, the user might find it helpful to learn about how your VPN works, etc.
In addition to these tips, consider how else you might be able to prevent insider threat incidents from occurring in the first place.
If you can detect a potential insider threat based on user activity, why not provide a guided prompt in real-time that coaches that user on cybersecurity policy? Are you capable of blocking out-of-policy activity? Do you have easy-to-understand policies in place, in a location that anyone can access and respond to?
Remember: insider threat management isn’t just about technology. It’s a holistic approach that balances People, Processes, and Technology in an effort to bring about a culture comfortable with improving and maintaining organizational cybersecurity health.
Learn how Proofpoint's insider threat management software can help your business detect, prevent and investigate insider threats effortlessly.
Subscribe to the Proofpoint Blog