Human factor as a key point in corporate risk management

Employee monitoring is helping companies to detect fraud, negligence, and insider activity, says Sergey Ozhegov CEO of SearchInform, but should companies outsource or keep it inhouse?

Tags: Insider threatRisk managementSearchInform Ltd (www.searchinform.com)
  • E-Mail
Human factor as a key point in corporate risk management Ozhegov: Employee monitoring is becoming a key part of good risk management, but should companies choose outsourced services or keep it in house?
By  Mark Sutton Published  December 4, 2018

An employee is the main resource of a company and the main source of risks. Not every staff member is conscientious and honest. Sabotage, secret projects exploiting corporate assets and databases, negligence can cause as much financial detriment as a security breach or noncompliance with recent regulations.

Monitoring employees, or at least their workplace behaviour, can be a sensitive issue, but many companies are paying more attention to tracking employees' behaviour and managing the human risk. But should you hire a managed security service provider (MSSP) or appoint your own employees to manage risks?

It is easier to give an answer when a company's strategy outline is clear. If an enterprise is willing to stay focused on its objectives and keep the attention fixed on its basic business processes, then it will most likely turn to a third party consultant. If a company doesn't want to share its corporate secrets with a services provider, it will manage the situation by relying on internal resources.

Why opt for an MSSP?

Third party organisations keep up with all the recent changes in laws which regulate the workflow of different industries. They have access to information about risk management trends and to the most efficient instruments for detecting areas of vulnerability within a corporate perimeter. They are experienced in solving problems related to threat discovery and prevention. One of the advantages MSSPs possess is the ability, when required, to launch an investigation as soon as possible, while the creation of your own risk management department takes time which could be allotted to an incident investigation.

Why opt for an in-house team?

A company might think of launching its own employee monitoring mechanism, as well as the auditing program, before a violation happens. That is when time is not an issue and when the company is able to consider some of the advantages which aren't available to companies cooperating with service providers.

One of the biggest advantages is knowledge and understanding of a corporate structure and internal processes. Your own staff is familiar with the specific needs of your company and has strong comprehension of what is allowed and what is not. They are part of the same business as the monitored employees. They are as interested in progressive development of an enterprise and it is easy for them to consider staff peculiarities. Unlike MSSPs, your personnel are aware of the ways that introducing a monitoring program can affect productivity and the usage of corporate sources.

Keeping control of sensitive data transfer and storage

Information is a unique asset for any business. Providing an external service with access to secret data exposes confidential details to additional risks. Your own department allows your company to analyse a situation and coordinate activities without intermediaries.

A company knows its employees

Whereas an agreement with an MSSP includes working with a given group of people you know nothing about, creation of your own department enables appointing those specialists who you find the most suitable for the role.

In-house risk managers have a grasp on a corporate culture

This awareness helps them in behavioural risk management and strategy shaping regarding particular groups of staff members.

Internal specialists can work out quite quickly the reasons for an unhealthy workplace environment which hampers effective interaction. Top management's indifference to negative feedback, discussing competitors and erratic performance can lead to backroom issues and fraudulent scheming. The analysis of intercepted information allows an organisation to set and calibrate the level and localization of team monitoring.

An intelligent approach to risk management facilitates control and draws promptly your attention to overpowered managers who tend to favour their friends and relatives when it comes to distribution of tasks. You will learn about any serious discord interfering with the quality of teamwork or happening within a board of directors. You will discover unprofessional conduct of executives or employees as well as network marketing and extremism.

A risk management internal department regards employees as individuals

Your own team is concerned about employee motivation and attitudes, is conscious about words and actions - first signs of an existing threat.

The information about each of the colleagues helps managers in decision making considering personnel issues and in obtaining fair and accurate assessment of roles and assignments. Every employee has unique skills and shortcomings which can be either beneficial or pernicious within the limits of some particular job. These details should be considered when an employee is hired. The awareness of employee propensities can urge blackmailers to spy and threaten.

Software integration

Processes automatisation including audit and risk detection helps to find appropriate solutions and reveal the source of a problem providing all the necessary tools. The risk analysis system should be elaborate and receptive to strengths and weaknesses of a company so that the adjusted corporate workflow wouldn't be completely reconsidered but optimised.

There are systems developed for the purpose of interior risk management and tailored to GRC service parameters. They supply a company with a toolkit for detection of a violator who is willing to profit from employee personal data. The configuration of an automated risk management system lets you detect particular traits of an employee's personality as well as serious situations which can be detrimental to your business: addictions, debts, radicalism, gambling.

Software algorithms analyse correspondence between staff members via different communication channels and identify destructive tendencies.

In order to protect a company your specialist isn't required to be an experienced risk manager. There are solutions through which you can get the results as soon as the system is installed on corporate devices. Pre-adjusted by default policies launch the search of suspicious messages or some atypical staff activity supplying top management with the needed information.

The ongoing personnel monitoring allows you to cover all the aspects which can be influenced by an employee or the whole team.

Sergey Ozhegov is Chief Executive Officer at SearchInform

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code