Skip to content

Responding To Insider Risk Is Hard. Here Are 4 Things You Need To Do.

Data doesn’t move outside your organization by itself. It’s your employees who move it. Data loss from insiders is a growing concern for organizations. In fact, there was a 32% year-over-year average increase in the number of insider events this past year, equating to an average of 300 events per company per year.  And it’s not slowing down. 71% of companies expect data loss from insider events to increase in the next 12 months. This increase in events will create more work for your security teams who are already stretched thin. In order to respond to these increasing events you need a program that’s both scalable and effective.

What does effective response to Insider Risk look like?

A successful Insider Risk program requires response controls that automate resolution of  everyday mistakes, block the unacceptable, and allow your security team to easily investigate what’s unusual. 

1. Set expectations

Before you implement an Insider Risk Management program, you need to set transparent expectations with your users. In the same way parents set expectations by creating rules for their children, security teams need to do the same for their employees. It’s critical to communicate your security policies and programs with your users so they can understand what is – and more importantly what’s not – acceptable when it comes to sharing data. Setting the ground rules will not only get everyone on the same page, but will give you clear means to hold employees accountable when rules are broken.

2. Change behavior

Once you’ve set expectations, you can focus on changing the behavior of users who will inevitably make non-malicious mistakes when it comes to data – they’re only human after all. Much like creating and sticking to a curfew for a child, holding your employees accountable for their mistakes will deter them from making the same mistake in the future. 

Real-time feedback to your users is critical when changing behavior. Having a program that can send tailored micro-training videos to users  is an excellent way to hold users accountable. For example, if Mark uploads a document via Dropbox but your company uses Google Drive, you need to be able to send just-in-time training to Mark letting him know the mistake he made and the way this should be done in the future. This is exactly what Code42 Incydr™ does with its embedded Code42 Instructor™ videos, and it’s the best way to prevent future events  in an empathetic way that assumes positive intent of employees. This accountability helps people follow rules and changes behavior over time. It also allows security analysts to address low and medium risk events at scale. With Incydr, trainings like this can be sent automatically and alerts closed out so that your security team can focus on the events that pose a real threat to your organization.

3. Contain threats

Training employees and holding them accountable for missteps will help with the majority of event volume, but we all know there’s no such thing as perfection. Insider threats will happen. Users will share data they aren’t supposed to. They will exfiltrate critical information like IP, customer lists, and product roadmaps. 

When this happens, you need to be able to quickly and easily take action to minimize damage. You need to be able to quarantine an endpoint, remove or reduce system access, and revoke file sharing privileges on a user level. Once you’ve taken the appropriate action, you can conduct a thorough investigation into the event and determine the best course of action to secure the data and address the user. Incydr delivers not only the containment controls needed to do this, but also the file access needed to review actual file contents, and the case management capabilities to document your investigation and escalate to business stakeholders. 

4. Block activity for your highest risk users

The final piece to a comprehensive response strategy is to be able to stop your riskiest users from sharing data to untrusted destinations. Your highest risk users, like departing employees, contractors and repeat offenders, pose a threat when sharing any data to destinations outside of your organization. By blocking activities for these users, you ensure the rest of your organization can continue to collaborate  while knowing data remains protected from the users most likely to cause harm. 

Code42 Incydr is the only Insider Risk Management solution that provides security teams with the full spectrum of response controls needed to address insider threat and build a security-first culture that reduces risk.

Only with Incydr, you can: 

  • Automatically send tailored micro-trainings to correct employee mistakes as they happen – driving down event volume and risk to data. 
  • Contain insider threats and speed investigations, with both integrated case management and access to file contents.  
  • Block unacceptable data movement without the management burden, inaccuracy, and endpoint impact of content-based policies.


How to build an effective, low-lift response strategy for Insider Risk

Get the White Paper

You might also like: