Insider risk is rapidly becoming one of the biggest concerns for security teams and C-suites alike. But here’s the most challenging thing about insider risk: it can’t be approached the same way you defend against external threats, or you’d bring your business to a halt. Risk to data due to employee behavior can never be fully avoided because it would require organizations to give up all the benefits of productivity and collaboration. Insider risk is an unavoidable product of our new world of work. Here’s what we mean:
The modern world of work looks vastly different than even five years ago. Companies in every sector are evolving at their core as digital transformation efforts push them to do business in new ways and with new technologies.
The expectations and behaviors of the workforce are also transforming. Employees are working remotely and collaboratively with many colleagues, partners and customers. They’re accessing data through cloud products from a variety of networks and devices.
And the way they think about their work is changing, too. As workers switch jobs more frequently, notions of loyalty are waning and employees have a stronger allegiance to the work they do (and the ideas they create) than to the company they do it for. Employees increasingly believe that they own the ideas they create — and 2 in 3 employees openly admit to taking ideas with them when they leave because they think it is their right to do so.
These changes aren’t a sudden shift; they’re a natural evolution. Companies have been pushing to move faster and be more agile for two decades now — and a major part of that is empowering employees to work in easier, smarter ways. But this evolution means data is more portable than ever. Workers are more mobile than ever. Collaboration is more critical to business success than ever. Together these factors dramatically increase the performance of a business while also increasing the prevalence of insider threat incidents.
In short, managing insider risk requires security’s mindset and tech stack to evolve because it can’t be managed through approaches that address risk at the cost of innovation and growth. Security teams need to be able to allow collaboration while ensuring there’s a way to quickly and accurately detect the risks that truly matter.
Block or surveil: Two common approaches to addressing insider risk
Here’s another big challenge for security teams tasked with managing insider risk: insider risk is a business problem that is not solved by any one category of software. Today, there are two main technical approaches to addressing the insider risk problem:
Policy-focused security products (e.g. DLP, CASB)
Until recently, policy-focused tools like DLP and CASB were the predominant approach to the insider risk challenge. These tools have been implemented by most businesses and focus on protecting data, but the problem is that they were designed to protect regulated data like social security numbers, patient records and credit card numbers. DLP and CASB vendors aren’t shy about telling security teams that their tools can stop data from leaving — and plenty of security teams have tried valiantly to shoehorn these tools into their insider risk use cases.
But the fundamental problem is that a policy-based, prevention approach has and will fail. Using these technologies to address insider risk becomes too complex to do well. They only catch what you tell them to look for — and the harsh truth is that you can’t perfectly define all high-value business data, and your creative users will find their way around policy. Security teams end up overwhelmed with constant policy updates, long lists of exceptions, and too many false positives. Moreover, go too far with your prevention tools, and you accidentally impede even sanctioned use of data. In other words, you’ll end up stifling the valid creation and sharing of the ideas and trade secrets you’re trying so hard to protect.
User-focused security products (e.g., UEBA, UAM)
With DLP struggling to keep up, more security teams are implementing user-focused tools like UEBA and UAM to provide much-needed context. These tools monitor user activity and attempt to identify normal vs. abnormal behavior based on user patterns. But issues arise because these tools take a heavy-handed surveillance approach. They perform invasive monitoring including real-time logging of keystrokes and recordings of a user’s computer screen and microphone. These tools also fail to solve the complexity problem and leave security teams overburdened with on-premises infrastructure and policy administration.
User-focused security tools bring up uncomfortable privacy concerns around surveilling your employees. User surveillance threatens to damage company and workplace culture in fundamental ways. It places the emphasis on employees as the “bad guys” rather than on security’s goal of managing risk to data. At a culture-driven time when CEOs in every segment are championing their people as their biggest asset and competitive advantage, building an insider risk program around user surveillance makes a dramatic statement about trust. It also creates a problematic, adversarial relationship between security teams and users. When security is seen as the “police” rather than a business partner it jeopardizes a critical element in any insider risk program — employee education and adherence.
The need for data risk intelligence
So, here’s where we’re at with insider risk software: As the complexity of your ecosystem keeps growing, security teams are trying to fit square pegs into round holes, using tools that weren’t built to support the speed and collaboration required by the business. They’re adding more complexity. They’re lacking the contextual intelligence needed to determine what data truly matters and what activities actually represent real risk. The dangerous result is that security teams aren’t able to distinguish between harmless and harmful activity. Insider risk response time is measured in days, weeks or even months — because if you can’t detect and investigate risk fast enough, you can’t possibly respond fast enough.
How Code42 Incydr better approaches insider risk
What security teams need today is a purpose-built insider threat software solution that gives them data risk intelligence so they can quickly and accurately detect, investigate and respond to insider risk. Here’s why Code42 Incydr is uniquely designed to deliver on these needs:
Differences of the Incydr approach
- Built to secure the collaboration culture — not change it.
Incydr was designed to help you manage risk to data without disrupting legitimate employee work and collaboration like policy-based tools do.
- Focused on data risk — not user surveillance.
You don’t care about Susan’s online shopping. You don’t care about Jim’s Facebook posts. You don’t want to watch everything your users are doing; you just want to watch what matters: how and when data is put at risk. Incydr focuses on data events instead of invasive user surveillance. We pinpoint what needs investigation by putting data events in context with relevant file and user detail so you can focus on your real data risk.
- Deploys in days — not months.
Many UEBA and DLP products are on-premises — which means features are not rapidly released nor are they easy to deploy or cheap to manage. Incydr is built for the cloud. We deploy in days to give you a complete picture of high-risk data activity across computers, cloud and email, without complex policy setup.
Differences of the Incydr product
- Purpose-built insider risk workflows.
Insider risk is a daunting problem. Incydr lets you quickly get started where you have the biggest risk, using purpose-built workflows for some of the most prevalent insider risk scenarios, such as protecting data during employee departure. Our focused dashboards, alerts and investigation workflows allow security to quickly detect data risk throughout the employee lifecycle without complex administrative overhead. And, we provide a single view to see all risks across computers, cloud and email.
- Unmatched visibility into browser-based upload activity.
Many know the risks posed by Shadow IT, but a new challenge is emerging: how can security detect unsanctioned activity when a product is used by both consumers and enterprises? Most solutions aren’t able to decipher between personal and corporate upload activity when products like Gmail and Slack are also deployed for corporate use. Incydr provides the active browser tab title and URL so security can detect files sent to personal accounts and quickly take action.
- Ability to respond to categories of insider risk beyond data exfiltration.
Data exfiltration isn’t the only insider risk. New employees can bring in files (data infiltration) that present legal risk to your company. And then there’s the risk of sabotage, where a disgruntled employee intentionally changes or destroys valuable data. Think it doesn’t happen? A top Hershey executive was recently caught deleting important data before leaving the company. Incydr can help you not only detect these types of events but also recover data employees attempt to destroy.
Here’s the bottom line: employees are more empowered than ever to move and share data. This is what accelerates business growth and innovation. Successful businesses will embrace this culture of collaboration and find a way to secure it, not stop it. Insider risk detection, investigation and response has to get easier. But this is only possible if security teams have the tools in place that give them the contextual intelligence to quickly and accurately distinguish between everyday activity and the ones that actually put company data at risk — and that’s exactly the risk signal that Code42 Incydr provides.