The Insider: A Liability or An Asset?

While there is nothing astounding in the above statements, it is sobering. There are many different ways the trusted insider can migrate to the insider causing a liability. How can this be avoided?  Here are some preferred practices:

Onboarding:  On the employee's first day, he or she needs to read and attest to understanding the company's Code of Business Conduct, a clear and unambiguous statement with respect to the protection of entrusted data (IP, PII, PCI, R&D, etc).  The new employee also should be provided with a guide to resources, and a roadmap that helps to answer ethical questions and dilemmas.

Awareness: Security awareness and education should not be limited to new employee orientation, yet the new employee must receive an introduction to the security policies, processes and technologies within the business. This is when the expectations of the business are first articulated to the employee. A review should be conducted within 90 days and thereafter on a frequent, ongoing basis. Awareness should never be considered "once and done.
-    Policies: Align policy with the company's mission. If policy is preventing execution, then perhaps policy creators don't understand the business. Don't put your employee in the position of choosing between following a policy and getting the job done.
-    Offboarding: When an employee separates from the firm, be it for cause, voluntarily or due to a reorientation of the business direction, a review of all privacy and confidentiality agreements should occur. Furthermore, there should be a positive confirmation of the employee's return or destruction of all electronic media containing corporate information in the employee's possession.

From my optic, security is truly a business enabler and not an add-on dragline designed to slow the collective progress. An educated individual with clear expectations reduces the number one cause of data exposure by an insider - that which was a result of inadvertent disclosure.