Unlike insider threats, Insider Risk is not a widely defined concept. To solve this problem, we’ve created our own definition for Insider Risk:
“Insider Risk occurs when any data exposure (regardless of perceived data value or user intent) jeopardizes the well-being of an organization and its employees, customers or partners.”
Insider Risk’s focus is on an organization’s data problems rather than its people problems. Insider threat management involves attempting to guess which users pose a threat to an organization’s data and taking action to manage these threats. However, this approach is often ineffective because most data breaches occur due to negligence, which means focusing on the “obvious threats” will cause them to be overlooked entirely.
In contrast, Insider Risk Management focuses on the data that is at risk of compromise. By monitoring for activities that place this data at risk, Insider Risk Management prepares an organization to respond to any potential data breach, regardless of the intent behind it.
Why are Insider Risks so dangerous?
Insider Risks are dangerous because every Insider Risk is a potential data breach waiting to happen. Insider Risks occur when data that is valuable and potentially injurious to an organization is exposed. This can occur with or without malicious intent on behalf of the insider who caused the exposure.
Employees and other insiders require access to sensitive data in order to do their jobs; however, there is a fine line between “safe” and legitimate use of data and Insider Risks. Effectively managing the danger of Insider Risks requires the ability to differentiate between normal operations and Insider Risks. This enables the company to manage these risks while minimizing the impact on legitimate activity and employee productivity.
How do you identify Insider Risks?
A key part of Insider Risk management is accurately differentiating between legitimate and safe use of data and actions that place the company at risk. To help differentiate between these two cases, we recommend using the File-Vector-User approach by asking the following questions:
- File: What files are most valuable to your business?
- Vector: When, where, and how is your intellectual property (IP) moving?
- User: Who is moving it? Is this normal or abnormal?
These questions help to distill your organization’s vast collection of data and the actions performed using that data down to the true events of interest. Each of these questions helps to eliminate some of the “noise” that can be safely overlooked:
While you organization may have a lot of data, not all of it is sensitive or critical to operations. Figuring out what data is important or potentially damaging to your organization enables you to largely ignore the rest.
Data moves through your organization’s networks constantly, and most of this movement is part of legitimate business operations. It’s the anomalies that you need to worry about.
Not all users in your organization are the same. Something that is normal for a database administrator (like deleting a database table) is a major red flag for one of the employees in the finance department. This content is essential to detecting Insider Risks.