To reduce cyber crime, organisations must get serious about people risk and apply a holistic approach
We read almost daily about high-impact cases of cyber crime where the affected organisation was fully compliant with its respective regulatory frameworks. Organisations can become blinded by compliance to the point where they have a false sense of assurance about managing people-related risk. This is defined as counter-productive behaviour, from inadvertent to malicious, and can range from oversight and corner-cutting – such as sharing passwords or propping open doors – to opportunistic behaviour including theft, fraud and sabotage.
A recent example of the potential damage that people risk can cause is when an investment bank suffered significant losses through a single broker’s late-night trading. While the bank was compliant in identifying individual anomalies, its lack of a holistic approach led to it losing £6m. The broker took Monday off work (an operational state anomaly) and by the evening had made his first batch of unauthorised trades (role, authorisation and operational anomalies). He notched up thousands of trades worth a total of $520m (£345m). He bought a net 7.13 million barrels of oil during the typically quiet overnight period (a time anomaly). His actions sent prices surging (price/market anomaly) by more than $1.50 to $73.50 for a barrel of Brent crude oil – the highest for eight months (another time anomaly). The deals potentially cost companies worldwide more than $100m.
By taking a holistic approach to people risk management, the bank could have avoided this loss. In September, Holistic Management of Employee Risk (Homer) was published by the UK’s Centre for the Protection of National Infrastructure (CPNI) and PA Consulting Group. Homer recommends as series of key steps for organisations to manage people risk effectively.
Think whether your organisation manages people risk coherently
Ask yourself these three questions:
- Is people risk managed in exactly the same manner as other corporate risks?
- Who is the single accountable owner of people risk?
- How is people risk brought together for coherent day-to-day management?
When a high-impact incident occurs, after the individual(s) and their line-management chain, it is often the people responsible for protective monitoring that are held to account. "Why didn’t you spot it in advance?"; "Why didn’t you respond effectively?" - while these are good questions, they are not always asked of all those leaders in the organisation who are accountable for people risk.
Focus first on what behaviours are useful to capture as potential indicators of riskier behaviour
To illustrate this point, consider that effective monitoring of people risk is enabled if the organisation has first identified its high value assets, such as physical assets, information and data assets. By doing so, it can then monitor access to these assets. In reality, however, we find that many organisations don’t even know how many servers they have, let alone which of the data is of most value. Effective monitoring is also enabled by efficient identity and access management. Yet, too often, we see people left with residual access months, and sometimes years, after they have left the company.
Apply a crystal-clear lens to the data feeds you need to identify riskier behaviours
We see too many clients describe their monitoring capability in terms of the tools they have - log data is often the last thing they mention. They typically have only one or two useful feeds and are in a reactive stance. To be effective, monitoring teams need to focus first on what behaviours are useful to capture as potential indicators of riskier behaviour. In this data-heavy world, if your monitoring team could have only six data feeds, what would they be? If you apply a holistic, crystal-clear lens – such as that provided by Homer – to clarify which behaviours, if looked at together, would identify riskier individuals, then this can work wonders in reducing your people risk.
Shrink opportunistic crime and develop foresight
Applying an ethical, transparent and legal approach, Homer shows how organisations can reduce risk by ensuring their monitoring is demonstrably risk-based. It also shows how, working with HR, risk and information management functions, as well as line managers, you can shrink opportunistic crime through effective deterrence based on an integrated set of policies, controls and appropriately publicised responses to incidents as well as ensuring your monitoring is operationally unpredictable - otherwise it can be circumvented.
Organisations can also develop foresight by building an integrated scorecard of behavioural risk thresholds that provides alerts for further investigation when the correlated risk scores are triggered.
Applying Homer will build trust, respect and competitiveness – while reducing risk
If done well, using Homer will have four results:
- Accountability for managing people risk will be clarified and its operational management improved.
- Understanding of interdependencies across organisational functions will improve and gaps closed as functions give each other necessary mutual support.
- People’s trust in the organisation will increase, together with its competitive advantage.
- The risk of an incident will reduce.
CEOs should use Homer to have an engaged debate with their executive board about how people risk is managed in their organisation. Three of the key aims here are to clarify how daily behaviours – or culture - support espoused values and expectations; to identify where the management of people risk needs better integration across functions to improve effectiveness; and to identify where information management, including all aspects of information security, support the effective management of people risk.
Bill Windle was one of the PA team that co-wrote Homer together with CPNI and is an expert on people and cyber risk. For more information, visit http://www.paconsulting.com/cybersecurity.