Part of Your Security Posture is Making Sure Your Managers Aren’t Jerks

According to the Ponemon Institute’s 2018 Cost of Insider Threats: Global report, of the 3,269 insider incidents that Ponemon investigated, 23 percent were caused by “criminal insiders” (as opposed to careless/negligent employees or contractors, or credential thieves). These malicious insiders can wreak all sorts of havoc, including theft of customer records, trade secrets or competitive information; and they can create enormous liabilities for their employer in the wake of their departure, such as triggering regulatory audits or fines for violating customer privacy.

So, why do employees become malicious and what can be done about it? Reviewing advice from a variety of sources reveals that most of that advice focuses on checking employees: check their background before they’re hired, monitor their behavior for signs that they might become malicious, and so forth. However, Osterman Research believes that companies should also focus heavily on their managers and monitor their behavior. For example, do managers in your company berate employees in front of their peers? Do they give them poor performance evaluations that are not justified? Do they demonstrate that they have “favorites” among their subordinates? Do they enforce company policies differently for some employees than they do for others? Do they insult their employees? In short, how well do your managers treat those that they manage?

Understanding management behavior is key. A study from several years ago by the law firm Drinker Biddle and Reath found that employees who are treated poorly by their managers will be more likely to commit fraud, intentionally breach data, and otherwise violate corporate policies.

What should employers do? There are several things:

  • Monitor managers’ email and collaboration accounts to uncover instances of morale-destroying behavior.
  • Monitor their personal social media accounts to uncover posts that undermine employees, the company or others.
  • Conduct anonymous employee surveys to get some honest opinions about how managers are treating their subordinates.
  • Monitor employee accounts for signs that their managers are treating them badly.

Of course, the goal is not to conduct a witch hunt or to undermine the morale of corporate managers. But bad managers create bad employees, and that significantly increases a company’s risk profile.

Are You Governing Your Information Properly?

What is “information governance”? Here are some definitions:

  • TechTarget: “A holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.”
  • Wikipedia: “The set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization’s immediate and future regulatory, legal, risk, environmental and operational requirements.”
  • The IG Initiative: “The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.”

In short, information governance is about getting value out of information and minimizing the risks associated with managing it.

We are just about to publish a white paper focused on the return-on-investment associated with information governance. As part of that effort, we have conducted a survey with mid-sized and large organizations to determine the state of information governance today. Here are some highlights:

  • Only 52% of the organizations surveyed have an information governance program today, but another 20% plan to do so within the next 12 months.
  • The top three drivers used to justify an information governance program are risk avoidance, the risks associated with meeting regulatory obligations, and, somewhat surprisingly, maintaining or improving employee productivity.
  • Despite the fact that most organizations have or will have an information governance program in place within the next 12 months, most organizations do not regulatory dispose of digital information from file share, SharePoint or related systems.
  • Moreover, most organizations do not have in place a defensible disposition program.
  • More than one-third of the organizations surveyed have had sensitive or confidential content stolen from them. This most often occurs from outside parties, but also a sizeable proportion of insider theft has occurred.

Our focus in the white paper will be on a) why information governance is an essential best practice for any organization, but particularly those with large amounts of sensitive, confidential or otherwise valuable information; and b) how to demonstrate the return-on-investment that can be realized by implementing an appropriate information governance program.

If you’d like an advanced copy of the white paper, please let us know.