5 Steps to Navigating Insider Risk in the Post-Pandemic World

Here's your shocking statistic of the day: Employees are 85% more likely to leak files than they were before the pandemic. The truth is data security risks were growing before the pandemic, as companies prioritized speed and collaboration through the cloud. But as we've uploaded, downloaded, emailed, chatted, and sync-and-shared our way through the pandemic, these empowering and promising new ways of working are now also the biggest data security risks to the business. The real problem is that data security paradigms haven't caught up, leaving data security teams chasing from behind, flying blind on growing insider risk — all the while, frustrating users by holding back speed, ingenuity, and innovation.

Insider Risk Management: A Risk-Based, Data-Centric Approach 
Insider risk is any data exposure event — security, compliance, or competitive in nature — that jeopardizes the financial, reputational, or operational well-being of a company and its employees, customers, and partners. While insider risk might sound like a synonym for insider threat, it's not; an important distinction must be made. Insider threat focuses on a specific person or entity while insider risk focuses instead on data. 

At its core, insider risk is a data protection problem. Conventional, policy-based approaches like DLP, CASB, and UEBA focus on compliance, offering a perception of protection at best. When blocking is relied upon as the de facto response, the organization suffers in terms of employee productivity and the security team's internal reputation. Inevitably, these approaches result in risk being drowned out by the noise created by security teams existing in a state of perpetual maintenance mode — trying to maintain classification and policies, only to never truly attain the unreachable goal of blocking only the threats and nothing more. In contrast, insider risk management offers a data-centric approach, which ensures compliance with data use policies, builds a more risk-aware culture, and speeds the time to security value.

A Framework for Managing Insider Risk
More and more enterprise organizations recognize that insider risk presents a pervasive problem that isn't being solved by traditional approaches. In fact, according to Forrester, 71% of security decision-makers agree that traditional approaches to data loss aren't working. Insider risk is a complex and nuanced problem, which is why policy-based approaches, that require absolute knowledge to tag all valuable data and spot-on anticipation of all threat vectors, simply can't keep pace. You can't definitively block insider risk, nor would you want to. Instead, a smarter approach aims to understand, measure, and manage insider risk through five basic steps:

1) Identify: Where and when is your organization's data exposed to insider risk?
You can't manage what you can't see. But conventional policy-based data security tools can only look for what you tell them to look for — leaving large and growing blind spots. The first step in insider risk management is to put the right tools and technologies in place. It is crucial that you can monitor all data activity across all the three dimensions of risk: all files (not just regulated or classified ones), all vectors (devices on- and off-network, cloud apps, etc.), and all users.

2) Define: What data risk is not acceptable to your organization?
The concept of risk tolerance has been almost heretical in the world of data security until very recently. Now, almost all organizations acknowledge they must tolerate some level of insider risk in order to enable the agility, speed, and innovation required to survive and thrive in today's business climate. Once you have the comprehensive visibility and context around where your data is exposed, you need to align on an organizationwide insider risk tolerance — so that your security team can begin defining a list of trusted vs. untrusted activities and scenarios. Again, you can't hope to define all possibilities — but, rather, home in on common insider actions that represent leading indicators of insider risk.

3) Prioritize: When is the data your organization cares most about at the greatest risk?
The art of defining insider risk tolerance paves the way for the science that is prioritizing risk indicators. That is, using the rich context around data activity to triangulate leading indicators of insider risk. With the right data security technologies in place, your security team will have that contextual visibility that allows them to use these insider risk indicators to prioritize certain types of risk — such as source code exfiltration, suspicious file type mismatches, syncs to personal cloud storage, and departing employees — over lower-severity events.

4) Automate: How do you best respond to insider risk?
Just as a blanket blocking policy can't be applied to all users and all data, there is no one-size-fits-all response to insider risk. Your security team should work with line-of-business leaders to create right-sized responses for your prioritized insider risk events. Perhaps just as importantly, you need to put technologies in place that enable you to build highly automated insider risk response workflows that combine a series of human and technical responses right-sized for the severity of the event, without overly burdening security teams.

5) Improve: Is what you're doing actually working?
This last step is clearly absent from conventional policy-based approaches. The insider risk paradigm acknowledges that insider risk is constantly evolving, will always be present, and can't (shouldn't) be fully blocked. This makes it fundamentally critical to put tools and processes in place to measure (qualitatively and quantitatively), refine, and optimize your overall insider risk posture — leveraging risk intelligence and learnings to get smarter and better over time.

A New Paradigm: Data Security Without Compromise
As the world of work keeps accelerating, the same empowering ways of working that will define tomorrow's success also drive today's rapidly growing insider data risk. We can't ignore the need for a new data security paradigm to fit the future world of work. Security teams need the ability to prioritize the risks that matter most, while seeing everything — all data activity, across all vectors and all users, on and off the network. To accomplish this, they need to see deeper context, so they can parse risky activity from legitimate work. They need the ability to orchestrate highly automated, right-sized responses. And, perhaps most of all, they need to commit to doing it all without compromise — protecting the business, without sacrificing speed, collaboration, and innovation among users.

About the Author

Mark Wojtasiak is co-author of the book Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore, vice president of portfolio marketing for Code42, and frequent cybersecurity blog contributor. In his role at Code42, he leads the market research, competitive intelligence, and product marketing teams. Mark joined Code42, a leader in insider risk detection and response, in 2016 bringing more than 20 years of B2B data storage, cloud, and data security experience with him, including several roles in marketing and product management at Seagate.