What are the firm’s critical assets and “what is it you’re trying to protect?” asked Michael G. Gelles, managing director at Deloitte L.L.P. in Arlington, Virginia, speaking at a session on avoiding insider threats Tuesday at the Risk & Insurance Management Society’s annual conference in San Antonio.
Risk tolerance “is an even more difficult question,” said Mr. Gelles. “That’s where we have the biggest conversations.” There has to be a “clear balance between having too little security and too much … If there’s
too much, it can impede a business’s productivity” and have a dramatic impact on growth, “so that becomes very critical,” Mr. Gelles said.
One of the emphases in developing a program should be on prevention, said Mr. Gelles. An appropriately designed program “can really prevent a lot of the behaviors” that lead to problems caused by ignorant or complacent insiders, he said.
Another issue is vetting employees. “How are you thinking about vetting?” he asked. “How many of you do periodic vetting?”
Many individuals come into an organization and go through background investigations, “but can still be there 15 years later, and they’ll never have another background investigation,” Mr. Gelles said, referring to how people may change over the years.
Another factor to consider is mitigating the risk of departing employees, Mr. Gelles said.
People who leave an organization often take information with them with the attitude of “I wrote that, I designed that” and “it’s mine,” he said. “It’s a very interesting sort of cultural issue.”
Furthermore, he said, “what do you do to train your managers to be attentive to people?” Some organizations, he said, may have ethical hotlines, but what is done to proactively protect data so it does not get away?
Another factor to consider is information security controls.
“Everything goes back to risk appetite,” Mr. Gelles said. How many controls should be put on a workforce in terms of what they can do? Some organizations, for instance, prevent any use of personal computers for work-related business.