How to police an organisation in the Digital Age

FIFA, Tesco, Toshiba, Age UK, Petrobras, Volkswagen, Turing Pharmaceuticals are found across very different industries but they all share one thing: they were badly damaged by bad decisions, and sometimes illegal activity. Any organisation can join this club quite easily, but the scary thing is that they won't even know it.

We already know that staff having a professional certification (e.g. Accountancy, Legal, etc.) does not protect an organisation from the few who commit such damaging acts, so emphasis rightly is placed on the three lines of defense approach to manage organisational risk.

From my point of view, the training of staff that fundamentally underpins all three lines of defense can have a significant Achilles heel and I want to use this as a case example on how increasingly sophisticated technologies can compliment the three lines of defense in an evolved operating model.

Better Technology + Evolved Operating Model
=
Better Risk Protection

The Achilles heel that training suffers from is that a group of employees exist who cheat their way through using many approaches. One typical approach is how someone simply gives control to a subordinate, for example a personal assistant, to complete an online employee training test. They can also ask a friendly colleague, or they can team-up with colleagues completing the same online test to collectively hack together the right answers to reach the required minimum pass score. If a poor testing system is used, technical failings have been funny to say the least, including one such online test that had its answers available under the ‘View Source’ option in Internet Explorer.

The Three Lines of Defense need to evolve
It is a near daily occurrence that we hear of another mid/large company data leak, hack or irregularity. These come about because in my view organisations are riddled with vulnerabilities, both technical and non-technical due their complexity.

The role of an Internal Affairs team conjures up visions of a Hollywood picture featuring a heroic police officer who is subject to their scrutiny. Internal Affairs operate on the basis that no one is above the law. They can use tools and techniques unavailable to the average police officer, including covert surveillance and formal internal interrogation. For most organisations the idea of deploying such a level of oversight and technique would seem a bit too much. But should it be?

How the latest technology can help the evolved model
Next-generation eDiscovery technologies are available. These technologies though are used when an external force is exerted on the organisation in question. The LIBOR and FIFA scandals have both used eDiscovery tools to digest and analyse the insights that have now led to the illegal activity being uncovered. But in both these investigations the pressure came from ‘external affairs’ rather than the needed ‘internal affairs’ capability. With the average fortune 500 company employing over 50,000 people, there is no valid reason I see to accept that advanced eDiscovery tools should continue to be used reactively and for short deployed projects. How can they be?

The latest eDiscovery software is capable of collecting and analysing silo'ed, multi-system data, and then spotting bad behaviour. I'm not talking about the very basic tracking of emails being sent outside a company. We are way beyond this now. A typical proof-of-concept now takes less than three months, the technology is that easy to work with. The technology takes advantage of the latest advanced in machine and deep learning, allowing the system to learn an individual employee's behaviour (a real 'digital fingerprint') and their associated level of risk as they go about their work.

This power needs a home. One that will respect it. So is it time to accept that a full-time internal affairs team has a part to play where it can validate and escalate the systems identified concerns, for example from cheating on staff testing?

Advanced eDiscovery Technology + Internal Affairs Team
=
Real-time detailed risk oversight

This June the more recognised leaders of information security will display in London at InfoSec. I'll definitely be there and  I'm very interested in talking to anyone about what they think is working in this area, both technically and non-technically.

If you learned anything from this article then I'd love a Like, or even better a Share. 

Have a great day!