All the documents you need to start your Insider Risk Management Program
Organizations today connect thousands of users, thousands of endpoints, millions of files and hundreds of exfiltration vectors 24/7 often 365 days a year. This new digital culture has allowed for extraordinary levels of collaboration, productivity and speed…but it has also created a new form of data risk. It’s called Insider Risk.
What is Insider Risk? It’s any data exposure event – whether accidental or malicious – that jeopardizes the financial, reputational or operational well-being of a company and its employees, customers and partners.
More and more organizations are looking to implement Insider Risk Management to detect and respond to data loss, theft and leaks. But, the biggest barrier to implementing or improving Insider Risk Management is designing the program itself. 46% of security leaders find defining process and procedures to be the hardest part, and the reason why most organizations are reacting to Insider Risk more than they are managing it.
We don’t believe in complex or painful programs, so we’ve boiled all of our Insider Risk Management (IRM) expertise into 5 simple steps.
Attend an Insider Risk Detection Workshop: Learn how Code42 Incydr™ helps operationalize these 5 IRM framework steps.
1. Identify where your risks are
You can’t manage what you can’t see. This is why the first step to Insider Risk Management is to look across the three vectors of risk – files, vectors, and users – to see where you’re vulnerable to Insider Risk. Use the 10 Question Insider Risk Self-Assessment to identify where the biggest gaps in your Insider Risk posture are today. This will become the baseline from which you measure IRM program effectiveness.
Technology can make this easier. Contact our Insider Risk experts to get started with using Code42 Incydr to help assess your Insider Risk.
2. Determine your risk tolerance
Now that you have the context to know where your data is exposed to Insider Risk, it’s time to determine what vectors, activities or scenarios are unacceptable. Common insider actions that are often considered untrusted and represent leading indicators of Insider Risk include:
- Moving source code to thumb drives
- Sending zip files via personal email accounts
- Exfiltrating Salesforce reports
- Changing file extensions
- Uploading files via web browsers
- Airdropping files to a personal device
- Moving files to cloud applications during off-hours
- Creating publicly shareable links in cloud applications
Security leaders need to define the severity of these events and have the technical ability to detect and respond when these Insider Risk Indicators occur. Use the Risk Tolerance Template to define the severity of common Insider Risk scenarios based on your risk tolerance.
3. Create, publish and promote data use governance policies
Integrate data use governance policies and security awareness training into your Insider Risk Management program as a force multiplier. Clear policies, communication, and regular training that is informed by Insider Risk intelligence drives behavioral change and creates a risk-aware culture.
4. Work with business partners to define processes for when policies are broken
Speaking of force multipliers, business partners like HR, Legal and IT are essential allies for scaling your IRM program. Here are some tips from the trenches on how to leverage business partners to automate and enhance response workflows. To engage them, it helps to first understand what they care about and then define roles and responsibilities. Here is an IRM program RACI template to help:
These business partners will help your IRM program scale, but it’s up to you – security – to determine the right-sized response process for when policies are broken.
5. Set goals and measure success criteria
Last but not least, it’s important to define what success looks like and how you will report on it. Quarterly reporting focused on Insider Risk posture improvements derived from behavioral change will help show your CEO and board the success of your Insider Risk Management program. Here are Insider Risk success metrics to measure:
More resources to help get started with IRM: