Skip to main content

5 Simple Steps to Getting Started with Insider Risk Management

All the documents you need to start your Insider Risk Management Program


Organizations today connect thousands of users, thousands of endpoints, millions of files and hundreds of exfiltration vectors 24/7 often 365 days a year. This new digital culture has allowed for extraordinary levels of collaboration, productivity and speed…but it has also created a new form of data risk. It’s called Insider Risk. 


What is Insider Risk? It’s any data exposure event – whether accidental or malicious – that jeopardizes the financial, reputational or operational well-being of a company and its employees, customers and partners. 


More and more organizations are looking to implement Insider Risk Management to detect and respond to data loss, theft and leaks. But, the biggest barrier to implementing or improving Insider Risk Management is designing the program itself. 46% of security leaders find defining process and procedures to be the hardest part, and the reason why most organizations are reacting to Insider Risk more than they are managing it. 


We don’t believe in complex or painful programs, so we’ve boiled all of our Insider Risk Management (IRM) expertise into 5 simple steps.


Code42 Insider Risk Management Framework


Attend an Insider Risk Detection Workshop: Learn how Code42 Incydr™ helps operationalize these 5 IRM framework steps.


1. Identify where your risks are

You can’t manage what you can’t see. This is why the first step to Insider Risk Management is to look across the three vectors of risk – files, vectors, and users – to see where you’re vulnerable to Insider Risk. Use the 10 Question Insider Risk Self-Assessment to identify where the biggest gaps in your Insider Risk posture are today. This will become the baseline from which you measure IRM program effectiveness.

10 Question Insider Risk Self-Assessment

Technology can make this easier. Contact our Insider Risk experts to get started with using Code42 Incydr to help assess your Insider Risk.


2. Determine your risk tolerance

Now that you have the context to know where your data is exposed to Insider Risk, it’s time to determine what vectors, activities or scenarios are unacceptable. Common insider actions that are often considered untrusted and represent leading indicators of Insider Risk include:  

  • Moving source code to thumb drives
  • Sending zip files via personal email accounts 
  • Exfiltrating Salesforce reports 
  • Changing file extensions
  • Uploading files via web browsers 
  • Airdropping files to a personal device
  • Moving files to cloud applications during off-hours
  • Creating publicly shareable links in cloud applications

Security leaders need to define the severity of these events and have the technical ability to detect and respond when these Insider Risk Indicators occur. Use the Risk Tolerance Template to define the severity of common Insider Risk scenarios based on your risk tolerance.

Risk Tolerance Template


3. Create, publish and promote data use governance policies

Integrate data use governance policies and security awareness training into your Insider Risk Management program as a force multiplier. Clear policies, communication, and regular training that is informed by Insider Risk intelligence drives behavioral change and creates a risk-aware culture.  


4. Work with business partners to define processes for when policies are broken

Speaking of force multipliers, business partners like HR, Legal and IT are essential allies for scaling your IRM program. Here are some tips from the trenches on how to leverage business partners to automate and enhance response workflows. To engage them, it helps to first understand what they care about and then define roles and responsibilities. Here is an IRM program RACI template to help:

IRM Program RACI Template

These business partners will help your IRM program scale, but it’s up to you – security – to determine the right-sized response process for when policies are broken.


5. Set goals and measure success criteria

Last but not least, it’s important to define what success looks like and how you will report on it. Quarterly reporting focused on Insider Risk posture improvements derived from behavioral change will help show your CEO and board the success of your Insider Risk Management program. Here are Insider Risk success metrics to measure:

Insider Risk Success Metrics Template



More resources to help get started with IRM: