Conducting an employee investigation using a reliable data set
Dr. Christine Izuakor: Welcome to the Veriato Insider, a bi-weekly podcast covering some of the latest trends and things to know in cybersecurity. This podcast is sponsored by Veriato, a next-generation Employee Monitoring, and Insider Threat Detection Software provider. To learn more about how Veriato can help protect your company, check out veriato.com. I'm Dr. Christine Izuakor, your host for today's segment, and we're covering how businesses can use AI to detect and prove sticky HR-related employee violations. So of course, navigating employee violations can be a very tricky and complicated process and if not handled correctly, these can lead to everything from lawsuits, hits to a company's reputation, and probably the most concerning, dangerous working conditions that can impact the safety and wellbeing of employees and we'll get into that a little bit more in a little bit, but first I want to introduce our guest for today.
Dr. Christine Izuakor: So Virgil Capollari is an accomplished intelligence and Insider Threat professional with over 23 years of expertise in formulating, implementing, and leading insider threat advisements and investigations in global security efforts for high profile organizations like the US Air Force, US Department of Defense, the intelligence community and various private companies and organizations as well. Virgil currently leads adaptive risk strategies. Welcome Virgil and thank you for joining us.
Virgil Capollari: Thank you so much for having me today. I do look forward to sharing some thoughts on this very interesting topic.
Dr. Christine Izuakor: And we look forward to hearing them. It is our pleasure. So maybe start by telling us a little bit more about your background.
Virgil Capollari: Sure thing. I've been involved in intelligence and insider threat for over 23 years as noted. I began my career in the United States Air Force within military intelligence. Following my military service, I served in the US government as a human intelligence officer and later a counterintelligence special agent. In these positions, I gained invaluable insight working on insider threats from different perspectives. On one hand, I cultivated relationships with individuals who had access to companies and information and utilized them as insider threats throughout various global locations. On the other, I led technology protection efforts and investigated insider threat cases, targeting sensitive information. I credit much of my success to these previous positions where I melded and applied the same skills, tools and perspectives used to either create or counter insider threats. Currently, I lead adaptive risk strategies, which helps corporate security professionals and teams refine and improve their insider threat and investigations platforms. Additionally, I consult and collaborate with various security and corporate intelligence professionals to promote and enhance their capabilities.
Complex employee situations and costly consequences
Dr. Christine Izuakor: Thank you so much for sharing that additional background. Now, the world of human resources can be a sticky one as we've already mentioned, it's riddled with complex employee situations and costly consequences, for example, in just 2018, the Equal Employment Opportunity Commission filed almost 14% more harassment lawsuits than the previous year. So the result was around $56.6 million in compensation payments to victims. Now give us a rundown on the current state of those employee violation trends and any thoughts you have on how that ties into an insider threat.
Virgil Capollari: As clearly shown in the EEOC report, there's been a steady increase in discrimination, harassment, and especially retaliation cases. As more people learn about the rights afforded to them, the more they're willing to come forward and report instances of discrimination and retaliation. Within this context, I think that Insider Threats emerge when they feel the need to take revenge or to hold an organization or manager accountable for a real or perceived wrongdoing. A victim of discrimination or retaliation might feel compelled to apply a similar approach when nothing is done to remedy a situation, especially by trusted managers or the organization at large. Generally, HR teams include investigators specialized in these types of investigations and work closely with organizational leadership to confirm or review allegations of wrongdoing, similar to how insider threat investigators work. Simply, they collect and analyze all available facts, present them to organizational leaders in a factual narrative, and a decision is ultimately made to remedy the situation.
Company culture is a key factor in countering Insider Threats
Virgil Capollari: Whether an insider is attempting to steal trade secrets or an aggrieved employee of retaliation is treated poorly and ignored, or the offenders are not dealt with accordingly, the methodology of how people choose to take matters into their own hands is generally similar. What I think is important to consider is the fact that company culture is a key factor in countering insider threats and hostile work environments. One noteworthy trend I've observed is that organizations that embrace employee rights in a-do-the-right-thing approach by all employees, regardless of title or position encounter fewer cases of insider threat and harassment lawsuits.
Dr. Christine Izuakor: Yeah, I think that's a really important point on the role that culture plays in all of this, and I think that culture is influenced by a couple of different parties and angles and so this is a good tie-in into another question, which is, who is typically responsible for managing these threats? Is it HR's responsibility, is it the technology or cybersecurity team? Is it another group? Is there an overlap? What are your thoughts there?
The critical path helps identify and clarify insider risk from insider threats
Virgil Capollari: I have seen all manner of threat management well sometimes is managed by cybersecurity, other times, managed by HR teams and even legal teams, depending on the circumstances. Where I see the nexus is what is referred to as the critical path, which in the security and insider threat world, pertains to the individual behavior, behavioral patterns, and indicators. The critical path helps identify and clarify insider risk from Insider Threats. I have found that a multi-organizational team comprised of mature insider threat, security, cybersecurity, HR, finance, legal, and investigations professionals, along with a coordinated and measured approach works best. Normally, HR is the singular business unit that identifies the behavior or behaviors that could potentially identify an insider before they act. It has been in my experience that cyber and tech security teams do not necessarily understand the human factors that drive the vulnerabilities in the first place. While cybersecurity and tech teams provide a useful skillset that helps identify specific insider activities or indicators, they don't provide a holistic profile of the insider.
Virgil Capollari: Additionally, once an insider has been identified, the cyber and tech team is where we seek out the answers to why this activity occurred and whether it even constituted a threat in the first place. At a high level, the goal should not to simply identify an insider, it's about creating a culture where individuals who are susceptible and presenting vulnerabilities can receive the needed support to take them off that critical path before they act. Just like sexual harassment or any other Title 7 issue, it is precisely the human behavior that caused it that needs to be identified and addressed to avoid it from happening in the first place. Professionally, I found that the most mature insider threat programs usually report to a COO or fall under operations at an enterprise level.
Dr. Christine Izuakor: Wow, that's definitely an interesting perspective to know that insider threat-related incidents you're saying, are reported to the chief operating officer, is that right?
Virgil Capollari: Yes, that's what we would suggest at the operations level, someone that can kind of have a more holistic view and be able to take in the totality of the human dynamics as well as the business operations.
Dr. Christine Izuakor: Okay, well, so let's say a leader listening gets the unfortunate news one morning, a high profile case is opening involving an executive being accused of harassment or let's say it's an employee that's suspected to be trading insider knowledge with a competitor or whatever the case may be, walk us through at a high level, what a company should do in response.
Virgil Capollari: Suspected cases of harassment and insider threats both present risks to a company's reputation, profit margin, and operations. Hence, the company needs to be able to factually confirm and/or refute the allegations. This begins with a thorough review of all personnel records and other data sources, interviews with colleagues and associates in determining if true, was, or is the behavior indicative of something systemic? As is similar to insider threat cases in the critical path, their behavioral indicators and clues normally began long before the insider or bad actor takes action. In many cases, the behavior was already present. If the allegations are true, action needs to be taken to rectify the situation and make the aggrieved whole again. a mature insider threat program includes seasoned investigators and case managers, i.e., fact finders. They're skilled at developing factual narratives and allow decision-makers to assess the situation and take action. These fact-finders are not arbitrators, they simply present the facts to afford key stakeholders the opportunity to make informed decisions.
Dr. Christine Izuakor: What are things that leaders should be considering as they work to build these better employee violation detection, or insider threat detection programs and prevention strategies in their environments? And are there any thoughts that you have specifically around leveraging AI in this context because there's been a lot of just chattering and evolution and growth in that space as well.
Confidence and trust are earned through communication
Virgil Capollari: Definitely. It's no coincidence that an impressive security program is supported and receives guidance from the top. Leaders should carefully consider how they communicate their support, at least in terms of priorities and expectations. Simultaneously, insider threat teams in security management need to clearly articulate their roles, responsibilities, and capacity to deliver. I have encountered numerous security managers who were skilled and very knowledgeable in their positions but did not understand what the c-suite priorities were, thus, didn't tailor the security agenda around those main concerns. Insider threat programs are only as effective as their supporting structures. Undoubtedly, the workforce and organization this program seeks to protect need to be the focus of all insider threat communication and activity. Confidence and trust are earned through communication, education awareness, and accountability for results. Advanced insider threat programs have established peer reporting mechanisms where all employees are encouraged to report questionable and suspicious activity.
Virgil Capollari: As AI becomes more embedded within the security space, there's lots of potential for improving how insider threat teams manage their time and resources. AI can significantly reduce the background noise or chatter by aggregating large amounts of data and allowing insider threat teams to better prioritize their activities. When it comes to how AI is incorporated within cybersecurity and behavior detection systems, clear expectations need to be stated upfront, such as what issue or challenge would this AI strategy resolve? I ask this because human behavior is rather complex and not always easy to define. An AI strategy in this space would likely require narrowly, well-defined parameters, and clean unbiased data. Furthermore, it would require requisite insider threat security professionals with specific operations experience to assess, investigate, and interpret the indicators.
Dr. Christine Izuakor: Any final thoughts or comments that you want to share as we wrap up?
Virgil Capollari: I would just say that I think it's important for insider threat teams to step outside themselves and make communication really a priority of what they're trying to do. At the end of the day, this is not a gotcha game, we're trying to help, help maintain company operations, help maintain your teammates. The more inclusive you are, the more support you're going to get, and the better the program's going to be for everybody.
Dr. Christine Izuakor: Yeah, definitely well said. Hey Virgil, thanks so much for joining us today. That concludes the Veriato Insider podcast for this week. Again, this has been brought to you by Veriato, an award-winning cybersecurity company recently recognized with the gold award for the best insider threat solution of 2020. Their solutions are anchored around four core pillars of cybersecurity protection, including employee monitoring and web filtering, workplace investigations, insider threat detection, and ransomware support. To learn more about how Veriato can help protect your company, check out veriato.com. Thanks for tuning in and a special thank you to Virgil for joining us today. I'm Dr. Christine Izuakor, the CEO of Cyber Pop-up and it's been our pleasure to share these insights with you. Until next time, stay safe and secure, Insiders.