Four steps to successful empathetic investigations

How security conducts employee investigations needs to change. All too often, security investigations are an attempt to get an employee to admit to suspected wrongdoing. Times have changed. Instead of investigating employees the same way we investigate threats from external actors, it’s time to take a more empathetic approach to investigations.

Empathetic investigations begin with an inquiry that removes pre-judgement and approaches the situation with a blank slate. With 78% of data exfiltration events caused by non-malicious or unintentional behaviors, more times than not, you will be connecting with a co-worker who’s just trying to get their work done, is making mistakes, or taking shortcuts to move more quickly than your policy allows. So treating them as though their actions were intentionally malicious is absolutely the wrong approach and could backfire.

This may take some practice for some of us who have worked in security for a while. Historically we’ve spent more time chasing outside risks so it’s become a natural instinct when we see a document moving to, say, a personal cloud drive, to think something malicious is going on and to want to confront the user. But it will serve us to build a new habit of pausing before reacting too quickly; and to put our assumptions on hold until we can get more data – we may need to get it from the user. Here we outline four steps to develop trust with your users and stakeholders.

Step one – Connect to understand

When an event happens, such as an employee moving company files to their personal OneDrive account, for example, the first outreach to the employee can be as simple as, “Hey, we noticed that you moved a document titled “XYZ” to your personal OneDrive account. Did you mean to do that?” and really listen to their response. The most likely response is going to be surprise, because they forgot or didn’t know that was a bad thing or maybe they needed to get their work done and that was the quickest way to do it.

Step two – Reassure to support partnership

In any of those cases, you can move quickly to step two; if it was simply a mistake, let them know they are not in trouble. This is important because the employee likely believes they are, which, in extreme cases, can leave them wondering if they will lose their job and could lead to a natural human instinct to become defensive and deny the behavior. So, it’s important to reassure them that this event can be reversed and you are here to help. By reducing the employee’s anxiety, they are more likely to be honest with you about what they were trying to accomplish and you’ll be better positioned to help. Perhaps there’s an existing solution they didn’t know about or access they can request to, in this case, another company-approved storage or sharing solution.

Step three – Recover

Depending on what was moved and where it went, work with the employee to ensure the data is removed from the unsanctioned application or device swiftly. This is best done via a video call where you can ask the employee to share their screen so you can assist to make sure it is done properly. Use words selectively here so this request doesn’t appear to come off as, “We need to watch that you do this because we don’t trust that you will do it or that you even know how.” Eek. Once that is done, if needed, you can send them a data destruction attestation to sign saying that they are not aware of the data residing anywhere outside the trusted network, in any form or fashion. Work with your legal team to establish when and how to use an attestation for your program.

Step four – Educate

It’s important to provide the employee information on the RIGHT way to take action in the future. Providing guidance at the time of the error is highly impactful and more likely to be remembered than, say, an annual training. This type of “just-in-time training” really works. Also, people are busy so if you want them to consume it, make it a quick lesson. We suggest a 1-3 minute training on the specific situation.

Taking an empathetic approach to investigations will help you build trust and respect with your users. It will build and perpetuate a positive security culture at your organization but best of all, it will lead to less and less exfiltration alerts for your team.