Congratulations! You’ve been promoted to Supervisor! Of all the candidates, both internal and external, you stood out as most qualified and most ready for the job.
This is great news for Dakota. Not so great for Mark, another internal candidate. Mark is not happy. He thought he was more deserving – he’s been with the company longer, paid his dues. He was, in his mind, entitled to that promotion. This makes Mark a pretty significant risk, because disgruntled employees are a leading cause of insider risk turning into insider threat. Disgruntled, Unhappy, Negative, Slighted. In many insider threat cases, employees who felt this way acted against the best interests of the organization.
Mary is about to receive a less than stellar performance review. And with it, a lower pay increase than is the norm. Are you, in your role as protector of company interests, prepared to deal with the possible effects? Are you keeping a closer eye on Mary’s online behavior etc.? Looking for signs she is checking out?
Don was let go after 90 days on a performance improvement plan because the results were unfortunately not there. Were you, “company protector”, monitoring Don’s activity during the performance improvement period? Are you, company protector, sure he did not take work product out of the company in anticipation of being let go? How are Don’s closest friends in the company taking it? What are they saying about this online? Are they disgruntled? Unhappy? Negative?
In all of these situations, the possibility that an employee – an insider – might become negative was foreseeable.
Don’t expect what you don’t inspect – A whole lot of time and money gets spent preventing acts or behaviors from happening. Think about the data loss prevention (DLP) space; respected analyst firms such as Ciscohttp://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/data-loss-prevention/white_paper_c11-499060.pdf show the amount of money spent on DLP growing from in the $300–$400 million range in 2010 to upwards of $900 million in 2014. There’s an ever-increasing amount of money being thrown at the problem. To what end? In 2012, there were 934 confidential information leaks reported worldwide—a 16% increase over 2011.* In H1 2013, 496 leaks were reported—an 18% increase over H1. Not a great return on all that investing, is it?
Two plus two is not adding up here, folks. This is an ineffective deterrent…Now for the record I am not advocating turning away from traditional DLP solutions. What I am saying is that the value they deliver does not deter people from intentionally leaking data. It may stop the “smash and grab” types, but the determined bad guys are still doing their thing.
Thinking about this took me back and got me thinking recently, so I turned to the dictionary:
Deterrence (noun): The act of preventing a particular act or behavior from happening.
— Merriam Webster
The stats cited earlier suggest that we aren’t doing a great job on this.
Back to the dictionary:
Deterrence (noun): The act of preventing a particular act or behavior from happening; The act of making someone decide not to do something.
— Merriam Webster
The act(s) of making someone decide not to do something. Interesting….. How do we change the mindset of a person intent on acting in a way counter to the best interests of their employer? There is some fascinating research on this subject.
Valerie Wright, Ph.D., research analyst at The Sentencing Project, noted,* “research to date generally indicates that increases in the certainty of punishment, as opposed to the severity of punishment, are more likely to produce deterrent benefits.”
In other words, if YOU think YOU can get away with it, you are more likely to do it. I read that 75% of employee-related crimes go unnoticed.
I think employers can do a better job at deterring bad acts, like intentional data leaks, fraud, and IP Theft. I think the way we do it is by increasing the certainty of getting caught. If employees know that their computer activities are monitored, they will be less likely to think they can get away with it!
There is a definite parallel to the “eye-in-the-sky” in casinos. Yes, they serve to help casino security detect bad acts as they occur, as well as provide evidence after the fact. But they also serve to deter cheaters from even trying—just by being there.
Are we doing enough to deter? What’s the old saying? Numbers never lie …
“IT Monitoring Software Prevents Employee Theft” “Though there are several ways to prevent employee theft, information technology (IT) monitoring is a strikingly effective method in reducing theft and fraud, a new study finds. Said Lamar Pierce, Ph.D., associate professor of strategy at Olin Business School at Washington University in St. Louis http://www.businessnewsdaily.com/5052-prevent-employee-theft.html
KnowIT™ is for Founders, Business Owners, CEOs, CTO’s and HR executives who worry about Intellectual Property theft, employee productivity and the need to comply with laws that hold executives personally responsible for the actions of their employees.