Javier García Chappell
Managing Director, FTI Consulting
When we talk about threats or risks in technological matters, perhaps the first thing that comes to mind is cyberattacks, given the impact in terms of media resonance that affairs of this sort have. It can hardly be doubted that this is an important aspect that companies must take into consideration. However, less is said about another matter that is not to be neglected or overlooked. I am referring to the potential malpractices or irregularities committed by employees, which are also known as insider threats.
It is a proven fact that technological risks are among the main concerns of corporate senior management. This is corroborated by the general counsels interviewed in our latest 2022 General Counsel Report. They agree that the past two years have seen a significant increase in the importance of technology and the use of electronic data in business decision-making. According to respondents, there are also reports of greater concern among executives about the risks related to data processing – i.e. issues such as privacy, security, and data protection.
Such concerns relate to potential external risks (e.g. hackers) but also to internal risks resulting from wrongdoing and insider threats on the part of employees. These can often be involuntary, or be caused by a lack of checks or by absent prevention and monitoring systems. An example of this is allowing access to work documents from non-corporate devices, or the use of corporate devices for personal matters. Both instances make data protection strategies more complicated to implement.
When making a corporate decision regarding the use, handling and transfer of any type of electronic data, we must consider all possible risks associated. The likely consequences that can ensue from failing to take adequate measures can include, among others, fines, an impact on the company's reputation, loss of business, and competitive disadvantages.
Knowing your data must be the basis of any insider threat prevention strategy. If you know your data well enough, you will be able to apply an adequate risk mitigation methodology. It is as simple as asking yourself: What type of data? Why do I have this data? Where is it stored?
In keeping with the starting point, the next step is to identify strategies for companies to implement in order to mitigate such risks. What is important is actually having pre-established and proven methodologies and processes in place that allow companies to react promptly to any need or requirement – whether arising from an internal or external request, or from a legal, judicial or regulatory requirement. This is where technology really proves to be useful as it allows different processes to be combined—including Artificial Intelligence (AI)—which allow certain problems to be solved automatically through progressive learning (Machine Learning). Such learning may then help to identify anomalies that can alert us to possible illegal actions by employees.
Such combination can greatly simplify processes and reduce time and costs associated with a number of tasks. But above all, it allows you to keep control over your company's data.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.