What is Insider Risk

Risk Glossary

What is Insider Risk?

Unlike insider threats, Insider Risk is not a widely defined concept. To solve this problem, we’ve created our own definition for Insider Risk:

“Insider Risk occurs when any data exposure (regardless of perceived data value or user intent) jeopardizes the well-being of an organization and its employees, customers or partners.”

Insider Risk’s focus is on an organization’s data problems rather than its people problems. Insider threat management involves attempting to guess which users pose a threat to an organization’s data and taking action to manage these threats. However, this approach is often ineffective because most data breaches occur due to negligence, which means focusing on the “obvious threats” will cause them to be overlooked entirely.

In contrast, Insider Risk Management focuses on the data that is at risk of compromise. By monitoring for activities that place this data at risk, Insider Risk Management prepares an organization to respond to any potential data breach, regardless of the intent behind it.

Why are Insider Risks so dangerous?

Insider Risks are dangerous because every Insider Risk is a potential data breach waiting to happen. Insider Risks occur when data that is valuable and potentially injurious to an organization is exposed. This can occur with or without malicious intent on behalf of the insider who caused the exposure.

Employees and other insiders require access to sensitive data in order to do their jobs; however, there is a fine line between “safe” and legitimate use of data and Insider Risks. Effectively managing the danger of Insider Risks requires the ability to differentiate between normal operations and Insider Risks. This enables the company to manage these risks while minimizing the impact on legitimate activity and employee productivity.

How do you identify Insider Risks?

A key part of Insider Risk management is accurately differentiating between legitimate and safe use of data and actions that place the company at risk. To help differentiate between these two cases, we recommend using the File-Vector-User approach by asking the following questions:

  • File: What files are most valuable to your business?
  • Vector: When, where, and how is your intellectual property (IP) moving?
  • User: Who is moving it? Is this normal or abnormal?

These questions help to distill your organization’s vast collection of data and the actions performed using that data down to the true events of interest.

Each of these questions helps to eliminate some of the “noise” that can be safely overlooked:

Thumbnails_400x200_FIle

File

While you organization may have a lot of data, not all of it is sensitive or critical to operations. Figuring out what data is important or potentially damaging to your organization enables you to largely ignore the rest.

Thumbnails_400x200_Vector

Vector

Data moves through your organization's networks constantly, and most of this movement is part of legitimate business operations. It’s the anomalies that you need to worry about.

Thumbnails_400x200_User

User

Not all users in your organization are the same. Something that is normal for a database administrator (like deleting a database table) is a major red flag for one of the employees in the finance department. This content is essential to detecting Insider Risks.

What is the most likely sign of an Insider Risk?

Attempting to individually consider every piece of data and activity in your environment for potential Insider Risk is not a scalable approach. Luckily, there are some tools that can help with differentiating risks from normal activity.

Insider Risk Indicators (IRIs) are anomalies that highlight a potential Insider Risk. Examples of IRIs include:

File Access at Unusual Hours

Most employees have a fairly consistent work schedule. If an employee’s account is accessing data outside of these standard hours, it may indicate an attempt to conceal file downloads or a compromised account.

Lifecycle Milestones

Many employees attempt to take data with them when leaving a company (voluntarily or not). File access by a departing or terminated employee can indicate an Insider Risk.

Misleading File Extensions

Many data protection solutions focus on blocking exfiltration of certain types of files based on their extensions (.docx, .pdf, etc.). Attempted transfers of files whose contents don’t match their extensions is likely an Insider Risk.

Use of Untrusted Domains

Data transfers within a company’s network and domains is likely legitimate and necessary for normal operations. However, transfers to external and unapproved domains - such as a personal cloud drive – can be a sign of an Insider Risk.

These are some examples of IRIs that a company can use for Insider Risk detection. To learn more about IRIs and Insider Risk detection, sign up for Code42’s Insider Risk Detection Workshop.

Managing Your Insider Risk

Risk management should focus on Insider Risk, not insider threats.  Learn more about refocusing your risk management efforts.

Read the article