Skip to main content

 

The Rapid Growth of APPs and Burgeoning Risk for MPL

Wednesday, March 6, 2024, 11:00 a.m. ET
Join the MPL Association for an in-depth discussion on the proliferation of APPs and the impact of this trend on the future of MPL claims, defense, and loss mitigation. This webinar is FREE for MPL Association members and affiliate partners.

Federal Administrative Actions Impact MPL

While medical liability-related legislative activity has shifted heavily from the federal environment to the states, the same cannot be said for all regulatory activity. Thanks to the McCarran-Ferguson Act, states remain the dominant focus of regulatory matters affecting medical liability insurance.

The State of the MPL Market: Claim Severity Rises, Policy Price Increases Moderate

Every six months, the MPL Association’s Research and Analytics Department issues a report analyzing these metrics with valuable take-aways that offer industry stakeholders insights into the industry’s financial performance.  

Inside Medical Liability

Fourth Quarter 2020

 

 

TECH TALK

5 Strategies for Managing Insider Risk

Remote work isn’t going away anytime soon. In fact, thanks to the pandemic, 26% of U.S. workers reported working entirely from home in the late summer, while 49% report some telecommuting during the past year, according to Gallup.1

By Amy Buttell

 

As employers seek to manage their workforces around the pandemic, security is nearly as big a concern as health. The rushed move to telecommuting last March left some organizations with holes in their security perimeters. That’s because security solutions that work well in a centralized office are ill-suited for remote, cloud-based work arrangements.

The majority of these security solutions are designed to cope with cyber risk stemming from external threats. However, insider threat is a growing concern, especially in industries such as medical professional liability that rely on intellectual property for competitive advantage. In fact, 63% of employees who admit taking data with them to a new employer have done it before.2

Insider risk doesn’t exclusively stem from malicious insiders. It also occurs due to mistakes and carelessness. Unfortunately, the result ends up the same: your proprietary intellectual property potentially ending up in the hands of a competitor.

Many organizations ignore or underestimate this risk. However, it’s a big risk and it is increasing as employees untether from the corporate network. Economic uncertainties caused by the pandemic are likely to heighten insider threat as mergers, acquisitions, layoffs, and downsizing create concerns for workers who may consider using corporate data to get a new job.

Fortunately, there are steps that your organization can take to identify and manage insider threat.

Strategy #1: Understand the problem

Before you can fix an issue, you’ve got to understand it. Many corporate security departments are overly oriented towards blocking and classification systems that poorly contain insider threat.

Classifying work product and intellectual property by risk is inefficient because the workers doing the organizing don’t have a good sense of the security sensitivity. Blocking fails because in collaborative cultures many people need access to sensitive data to do their jobs. Security ends up making so many exceptions to blocking rules that they become ineffective.

Insider threat arises because collaborative cultures require open access to data, organizational intellectual property, and other sensitive material. You can classify and block your top customer lists as much as you want, but the sales team and sales managers can’t do their jobs without them. What’s to stop your sales manager, who works remotely off your grid, from taking copies of your customer list? Or your product marketing AVP, also a remote worker, from leaving with your product roadmaps?

It doesn’t have to be a malicious event. What if your marketing EVP is tweaking the presentation for your new disruptive product on a personal laptop on an unsecured network at home? Sure, it’s unlikely that it will fall into a competitor’s hands, but you never know.

The bottom line is that you can’t afford to take insider risk and insider threat lightly. Too many businesses that have no longer exist.

You might not remember Jawbone, a producer of Bluetooth devices. That’s because it went out of business in 2017 after six of its employees were accused of taking trade secrets with them to Fitbit.4 The dispute ended up in court, but it was too late for Jawbone.

Strategy #2: Get board and executive buy-in

For any viable insider threat program to succeed, you need board and executive buy-in. Implementing new technology and programs is a challenge these days, with budgets squeezed by the pandemic and associated economic uncertainty.

However, this is one budget battle that you can’t afford to lose. Arm yourself with evidence that supports your case from credible sources such as the yearly Verizon Insider Threat Report.5 Insider threat falls squarely in the domain of the chief information security officer. Other stakeholders include the chief information officer, the general counsel, and the vice president/director of human resources or the chief people officer.

Taking some time to explain to these stakeholders why insider threat needs to be taken seriously and what can be done about it can help to get an insider threat program started in your organization.

Strategy #3: Increase visibility

Any technology solution you adopt must increase your organization’s visibility over all of your data on all of your corporate devices, regardless of whether they are in a central office or spread all over the country with farflung remote staff. This isn’t as hard as it sounds because the key is monitoring data, not people.

It matters less what people are doing than where people intersect with sensitive data. You can keep track of that intersection when you implement a real-time, 24/7 data monitoring program.

If a product roadmap disappears from an employee’s laptop to an unauthorized Dropbox account or thumb drive, the right technology will notify your security team quickly. One of the biggest problems with using traditional solutions such as blocking to contain insider threat is that it takes too long to find out when your data walks out the door. You won’t know until your biggest customers start defecting to your competitors or your new underwriting technology surfaces elsewhere.

Strategy #4: Create policies and programs

Written policies and training are essential when it comes to developing an insider threat program. You must create policies and rules that document workflows around the new insider threat program and build training programs so that employees understand what insider threat is and their responsibilities in your insider threat program.

The stakeholders mentioned above must all be involved in implementing an insider threat program from their various perspectives—legal, human resources, security, and technology. It’s up to legal to ensure that relevant laws are followed in the design of policies and training programs. Human resources and security must collaborate to communicate with employees about potential insider threat incidents. IT owns technology, so they must buy into the best technology solution and collaborate with information security to implement it.

Strategy #5: Communicate with employees

Open communication with workers is essential. The best way to build trust in a collaborative culture is to openly inform employees that their data is being monitored and that any intellectual property they create while working at your organization belongs to the organization, not to them individually.

Educating employees on the dangers that insider threat poses for the company—and ultimately their livelihood—creates allies who understand that everyone has a responsibility to protect the organization’s valuable intellectual property.

Regular training and awareness around insider threat in general and company-specific programs in particular will ensure that employees continue to be informed and aware. Informed and aware employees are less likely to make security mistakes or attempt to take information with them that doesn’t belong to them.

A final word

Insider threat is a growing concern in organizations around the world. As collaboration becomes even more critical to organizational success, more proprietary information is being shared with workers than ever before. That’s why it’s crucial to create and manage a robust insider threat program that can secure your organization from the risk of losing vital proprietary information.

References
1. Jeffrey M. Jones, “U.S. remote workdays have doubled during the pandemic,” Gallup, Aug. 31, 2020: https://news.gallup.com/poll/318173/remote-workdays-doubled-during-pandemic.aspx.
2. Code42, “2020 Data Exposure Report”: https://www.code42.com/resources/report-2020-data-exposure.
3. Scott Briscoe, “Most data breaches come from insiders,” ASIS International, Oct. 10, 2019: https://www.asisonline.org/security-management-magazine/latestnews/today-in-security/2019/October/most-databreaches-come-from-inside.
4. David Phelan, “Six former or current Fitbit employees charged with possessing Jawbone trade secrets,” Forbes, June 16, 2018: https://www.forbes.com/sites/davidphelan/2018/06/16/fitbit-employees-charged-with-possessing-jawbone-trade-secrets/#4ac2b3912b32.
5. Verizon Business Ready, “Insider Threat Report 2019”: https://enterprise.verizon.com/resources/reports/insider-threat-report.


 

   
 


Amy Buttell is the editor of Inside Medical Liability.