When it comes to security breaches, there has been a lot of news about external threats. Attacks that shut down pipelines or cripple large companies that fork over millions of dollars in ransom are obvious headline grabbers. While receiving less attention, insider threats are still noteworthy. In effect an insider threat takes into account malicious insiders–employees, former employees, contractors, or business associates–who have legitimate access to systems and data yet use that access to destroy or steal data. In some cases, such actors even sabotage systems. Yet considering insider threats, while important, only sheds light on part of the insider risk picture, as it doesn’t include well-meaning staff who accidentally put security at risk or divulge data unintentionally.
This is where insider risk management or IRM comes in.
Think of IRM is an overarching strategy in which organizations view insider threats in a comprehensive manner. In this way, IRM can help organizations become data-centric as opposed to focusing on users and personas. With a data-centric focus, organizations can truly quantify risk and understand data. Essentially, IRM is the lens through which organizations can accurately assess risk.
Unfortunately, it is the threat from insiders that is more commonly discussed than the risk from insiders. The key difference between the two: insider threats are focused on “the few” employees who may reveal themselves to be a threat over time instead of “the many” employees who can potentially become a threat inadvertently. And focusing solely on insiders leaves out an important part of the equation: third parties. By glossing over third parties, organizations perpetuate a misperception of the potential perpetrators of insider threat, which of course leads to a misperception of the risk itself.
Security technology choices tend to exacerbate the issue. Typically, insider threat is managed through a point solution such as a data loss prevention (DLP) tool in a “set and forget” manner. Also typical: responsibility for insider risk is misunderstood. Any risk management program without a communication paradigm that clearly identifies who is ultimately responsible, accountable, consulted, and informed–what’s known as a RACI matrix–leaves an organization pointing fingers with no true ownership. This is a perfect environment for insider threats to wreak havoc.
Risk must be a top priority, and discussions must include the most basic level of data being compromised—intentionally or accidentally—by employees. Most enterprise risk management (ERM) programs will look at employees as a potential risk factor, but ERM is more likely to rely on a point solution with a many-to-one approach. This doesn’t utilize true IRM tenets.
What are true IRM tenets? Look for better ways to understand data at rest and in motion to identify when it is exposed. By starting here, an organization can gain the necessary foundation to determine what level of risk is acceptable and the leading indicators of risk to prioritize. With this approach, organizations can ultimately quantify the impact of insider risk. Organizations should also shift the risk conversation from one that focuses on the malicious insider to one that focuses more on a data-centric versus employee-centric perspective. Taking this perspective requires organizations to cast off preexisting biases and focus on data detection and response, which can be accomplished by implementing clearly defined workflows.
Risk management philosophy allows an organization to determine its own risk posture, but it is best to always assume some level of risk. Organizations need to be aware of data exposure and be able to prioritize leaks to prevent them. Monitoring and insight must be across all aspects of all systems, files, and users, and this visibility should be contextualized by security policies. Management must be simple, iterative, automated, and orchestrated. It must also include employee training.
If insider risk is neglected, it leaves an organization exposed to increased vulnerability. If done right, IRM ensures that companies are continually improving their insider risk posture by reducing levels of corporate data leak, shadow IT, insider threats, and third-party risk and maximizing the effectiveness of security awareness training. The end result: compliance with data use policies, and a more risk-aware culture.
Risk is an ongoing effort, not a static activity. That’s why policy-based solutions that are configured and installed once, and require constant tuning and maintenance, do not address the issue holistically. Tools built with an IRM approach in mind understand the dynamic nature of this problem and prioritize risk based on context that is always changing and always monitored. In effect, organizations are on a journey and improving risk posture is the destination.