Here’s the translation of your text into American English:
The risk of internal threats has gained relevance among corporate security priorities, becoming one of the biggest concerns for both CISOs and increasingly, senior management. This shift is positive, as the support of executives allows for the design and implementation of internal risk management plans tailored to the specific protection needs of the organization.
Incidents of this type are not improbable. For example, an employee hired by a competitor might download sensitive strategic information before leaving the company. Such actions could compromise customer or supplier lists, confidential data, or even intellectual property, putting the organization’s competitiveness and integrity at risk.
According to Proofpoint, in 2024, 46% of security professionals reported having faced a loss of confidential data in the past 12 months; of those, 70% agreed that employee exits contributed to that loss. Despite this, 82% of CISOs believe they have adequate controls in place to protect their data.
Effective management of internal risks involves moving to a proactive approach, allowing incidents to be prevented instead of merely reacted to; gaining a clearer understanding of users and the data at risk to ensure that existing security controls are in place to protect them; and improving response times with defined procedures.
Launching a new internal risk management program or enhancing an existing one requires a strategic, preventive, and integrated approach to internal risk management within the business vision, not only to adequately respond to any threats, whether explicit or implicit, but also to contribute to making the company more efficient and productive, reducing any potential disruptions.
The Proofpoint threat research team recommends these five guidelines for defining an effective plan:
- Form a cross-functional team with the appointment of an executive leader and a steering committee. Managing insider threat risk should be regarded as a responsibility of the entire organization, including legal, human resources, compliance, operations, executives, and even the board of directors. Everyone must work together to achieve the common goal of reducing organizational risk, making it crucial to have internal executive support that promotes the program and helps overcome obstacles.
- Define objectives to see what makes the organization vulnerable and prevent an internal risk from becoming a real threat. This involves identifying internal people at risk and sensitive data. Until these factors are clear, protection will not be possible. It’s also necessary to ensure compliance with requirements while trying to find a balance between business needs, security controls, and user productivity.
- Understand from what situation the organization is starting before planning any insider threat program. Assess current capabilities for detection, response, analysis, and prevention; existing investments, and the effectiveness level of the insider threat program.
- Take action with an operational security process that allows analysts to react, conduct a real risk assessment, and then escalate, following predefined channels. Clearly defined operational guidelines can help steer investigations and mitigation actions. It is also essential to define the escalation process in collaboration with human resources, legal, compliance, executive leadership, and the company itself, and for the relevant user base to accept oversight of risk behaviors.
- Regularly repeat the processes of the internal risk program and evolve it according to the organization’s needs: develop objectives intentionally rather than reactively, identify metrics based on agreed steps and program growth, collaborate with stakeholders to adhere to and expand the program, and automate prevention and correction so analysts can gain effectiveness and save time.