All the documents you need to start your Insider Risk Management Program
Organizations today connect thousands of users, thousands of endpoints, millions of files and hundreds of exfiltration vectors 24/7 often 365 days a year. This new digital culture has allowed for extraordinary levels of collaboration, productivity and speed…but it has also created a new form of data risk. It’s called Insider Risk.
What is Insider Risk? It’s any data exposure event – whether accidental or malicious – that jeopardizes the financial, reputational or operational well-being of a company and its employees, customers and partners.
More and more organizations are looking to implement Insider Risk Management to detect and respond to data loss, theft and leaks. But, the biggest barrier to implementing or improving Insider Risk Management is designing the program itself. 46% of security leaders find defining process and procedures to be the hardest part, and the reason why most organizations are reacting to Insider Risk more than they are managing it.
We don’t believe in complex or painful programs, so we’ve boiled all of our Insider Risk Management (IRM) expertise into 5 simple steps.
Attend an Insider Risk Detection Workshop: Learn how Code42 Incydr™ helps operationalize these 5 IRM framework steps.
Enter Code42 Insider Risk Management
Taking an IRM approach to data protection prioritizes the realization of value through continual risk reduction instead of the mere perception of protection that the conventional DLP approach has created.
IRM approach presents multiple values for a business. For example:
- IRM promises that companies never compromise the speed of innovation or the safety of data.
- It is founded on three pillars:
- Monitor all files, vectors & users
- Be non-disruptive to employees
- Be 100% cloud-native
Now, let’s explore each of the 5 steps in more detail.
1. Identify where your risks are
You can’t manage what you can’t see. This is why the first step to Insider Risk Management is to look across the three vectors of risk – files, vectors, and users – to see where you’re vulnerable to Insider Risk. Use the Insider Risk Calculator to identify where the biggest gaps in your Insider Risk posture are today. This will become the baseline from which you measure IRM program effectiveness.
Technology can make this easier. Contact our Insider Risk experts to get started with using Code42 Incydr to help assess your Insider Risk.
2. Define your risk tolerance
Now that you have the context to know where your data is exposed to Insider Risk, it’s time to define what your organization considers trusted and untrusted activity. Partnering with the lines of business leaders is paramount to defining risk tolerance. Only the business leader knows what exposure and exfiltration risk matters most to them and what devices, destinations and users they trust. More importantly, what they do not trust.
Common insider actions that are often considered untrusted and represent leading indicators of Insider Risk include:
- Moving source code to thumb drives
- Sending zip files via personal email accounts
- Exfiltrating Salesforce reports
- Changing file extensions
- Uploading files via web browsers
- Airdropping files to a personal device
- Moving files to cloud applications during off-hours
- Creating publicly shareable links in cloud applications
Security leaders need to define the severity of these events and have the technical ability to detect and respond when these Insider Risk Indicators occur. Use the Risk Tolerance Template to define the severity of common Insider Risk scenarios based on your risk tolerance.
3. Prioritize and review only what matters
Once security and risk teams are armed with an aligned definition of risk tolerance across business partners, prioritizing data exposure and exfiltration risk becomes easier and more actionable. Remember the context we collected and logged in the Identify stage? Here is where that context comes into play.
4. Work with business partners to define processes for when policies are broken
Speaking of force multipliers, business partners like HR, Legal and IT are essential allies for scaling your IRM program. Here are some tips from the trenches on how to leverage business partners to automate and enhance response workflows. To engage them, it helps to first understand what they care about and then define roles and responsibilities. Here is an IRM program RACI template to help:
These business partners will help your IRM program scale, but it’s up to you – security – to determine the right-sized response process for when policies are broken.
5. Set goals and measure success criteria
Last but not least, it’s important to define what success looks like and how you will report on it. Quarterly reporting focused on Insider Risk posture improvements derived from behavioral change will help show your CEO and board the success of your Insider Risk Management program. Here are Insider Risk success metrics to measure:
More resources to help get started with IRM: