Responding to Insider Risk is Hard. Here Are 4 Things You Need to Do.
Blog Article Published: 05/11/2023
Originally published by Code42.
Written by Meredith Atkinson.
Data doesn’t move outside your organization by itself. It’s your employees who move it. Data loss from insiders is a growing concern for organizations. In fact, there was a 32% year-over-year average increase in the number of insider events this past year, equating to an average of 300 events per company per year. And it’s not slowing down. 71% of companies expect data loss from insider events to increase in the next 12 months. This increase in events will create more work for your security teams who are already stretched thin. In order to respond to these increasing events you need a program that’s both scalable and effective.
What does effective response to Insider Risk look like?
A successful Insider Risk program requires response controls that automate resolution of everyday mistakes, block the unacceptable, and allow your security team to easily investigate what’s unusual.
1. Set expectations
Before you implement an Insider Risk Management program, you need to set transparent expectations with your users. In the same way parents set expectations by creating rules for their children, security teams need to do the same for their employees. It’s critical to communicate your security policies and programs with your users so they can understand what is – and more importantly what’s not – acceptable when it comes to sharing data. Setting the ground rules will not only get everyone on the same page, but will give you clear means to hold employees accountable when rules are broken.
2. Change behavior
Once you’ve set expectations, you can focus on changing the behavior of users who will inevitably make non-malicious mistakes when it comes to data – they’re only human after all. Much like creating and sticking to a curfew for a child, holding your employees accountable for their mistakes will deter them from making the same mistake in the future.
Real-time feedback to your users is critical when changing behavior. Having a program that can send tailored micro-training videos to users is an excellent way to hold users accountable. For example, if Mark uploads a document via Dropbox but your company uses Google Drive, you need to be able to send just-in-time training to Mark letting him know the mistake he made and the way this should be done in the future. This accountability helps people follow rules and changes behavior over time. It also allows security analysts to address low and medium risk events at scale.
3. Contain threats
Training employees and holding them accountable for missteps will help with the majority of event volume, but we all know there’s no such thing as perfection. Insider threats will happen. Users will share data they aren’t supposed to. They will exfiltrate critical information like IP, customer lists, and product roadmaps.
When this happens, you need to be able to quickly and easily take action to minimize damage. You need to be able to quarantine an endpoint, remove or reduce system access, and revoke file sharing privileges on a user level. Once you’ve taken the appropriate action, you can conduct a thorough investigation into the event and determine the best course of action to secure the data and address the user.
4. Block activity for your highest risk users
The final piece to a comprehensive response strategy is to be able to stop your riskiest users from sharing data to untrusted destinations. Your highest risk users, like departing employees, contractors and repeat offenders, pose a threat when sharing any data to destinations outside of your organization. By blocking activities for these users, you ensure the rest of your organization can continue to collaborate while knowing data remains protected from the users most likely to cause harm.
About the Author
Meredith is a Senior Product Marketing Manager at Code42 primarily responsible for the Incydr product content and launches.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.