Insider risk is any user-driven data exposure event, either malicious, negligent, or accidental in nature. As insider risk grows, the standards for security teams today are edging on impossible: You're expected to have comprehensive visibility and context around risk in your environment. You're asked to act with lightning speed and 100% conviction — but also show careful sensitivity to employee privacy. And of course, you can't slow down productivity or impede collaboration. Your strategies and actions need to fit with corporate cultures that prioritize openness and collaboration.
Security Teams Don't Have the Tools They Need to Manage Insider Risk
Here’s the thing: When we talk to peers in the field, they tell us these expectations aren’t the problem; it’s the tools. Most organizations are still using conventional data security tools like data loss prevention (DLP), cloud access security broker (CASB), and user entity behavior analytics (UEBA) — complex tools that focus on blocking and rely on painstaking data classification and policy management. And this approach just isn't keeping up. A whopping 74% of companies that have experienced a data breach caused by insiders already had a data protection solution like DLP or CASB in place. So, what does a better solution for insider risk look like?
Is It Effective?
The first, most obvious criteria is: Does it do what you want it to do? That depends on who you're talking about, because effectiveness means one thing to security teams (those tasked with managing insider risk) and often something very different to end users and business leaders.
- Effective for security teams: For security teams, effectiveness starts with comprehensive visibility. The biggest shortcoming of conventional tools like DLP and CASB is that they only see what they're told to look for — because they were built for a long-ago world where all that needed protecting was a specific subset of structured, regulated data. But today, we're dealing with tremendous breadth of valuable data, and that data is incredibly dynamic. In this environment, security teams need a solution that lets them see all data movement. That solution needs to unburden the security team from the data classification and policy management that ultimately makes policy-based blocking tools untenable. And it can't have blind spots. It needs to enable security to see data movement across all channels — both managed and unmanaged endpoints of remote workers, on and off the VPN, in cloud sharing and collaboration apps, and into the murky corners of shadow and mirror IT.
- Effective for end users: For end users (and business leaders), it's all about productivity. A better solution needs to fit with collaboration culture. To get buy-in from the top down, it should directly help foster the employee ingenuity, speed, agility, and innovation that defines the most successful companies today. It can't slow down end users; they can't feel like they're limited in how they can get work done or collaborate with each other. DLP, CASB, and the like have become major frustrations because they block legitimate activity. And when end users get frustrated, they just find ways around the tools and policies — deepening the insider risk problem and expanding your blind spots. The right solution needs to be lightweight, frictionless, and nearly invisible to end users. Not because an insider risk program should be secretive, but because the security team ultimately isn't interested in what users are doing — they care where the data the business cares about most is going.
Is It Focused?
Seeing everything is powerful, and it's absolutely essential to understanding and mitigating insider risk. But seeing everything — unfiltered — is also overwhelming. Security teams need a clear signal of risk to act effectively. That means they need a solution that is smart enough to recognize what is trusted versus untrusted activity and tune out the deafening noise of harmless everyday activity — so they don't get buried in alerts and plagued with alert fatigue. They need a solution that prioritizes risk based on what the business does and does not tolerate in order to understand the nuance of each insider risk event.
Is It Fast?
What about speed? Time is money with insider risk. We're talking about sensitive data and valuable IP getting exposed. The longer it takes to respond, the higher likelihood of serious impacts — legal costs to recover data, lost competitive advantage, and reputation damage echoing long into the future. So, a solution that's effective and focused isn't worth much unless it enables a security team to act fast — with conviction — to mitigate insider risks. Insider risk is growing and managing it is vital to both security and governance, risk, and compliance (GRC) teams and the broader organization.
Discover a new approach to Insider Risk Management at http://code42.com/showme.
About the Author
Mark Wojtasiak is co-author of the book Inside Jobs: Why Insider Risk is the Biggest Cyber Threat You Can't Ignore, vice president of portfolio marketing for Code42, and frequent cybersecurity blog contributor. In his role at Code42, he leads the market research, competitive intelligence, and product marketing teams. Mark joined Code42, a leader in insider risk detection and response, in 2016, bringing more than 20 years of B2B data storage, cloud, and data security experience with him, including several roles in marketing and product management at Seagate.