Skip to main content

Insider Risk vs Malware – Why Insider Risk Requires a New Approach

Woman finding her computer getting a malware attack

Security teams focused on mitigating data loss threats are increasingly facing challenges that come from the way their own coworkers across the business get their jobs done. Years of digitization, hybrid and remote work, and empowering employees to collaborate effectively from anywhere has changed the structure of data in most organizations. Our Annual Data Exposure Report research shows the Insider Risk problem keeps getting bigger. Employees are 85% more likely to leak or take data today than pre-pandemic, and there’s a 1 in 3 chance that you’re losing critical intellectual property every time an employee leaves the company. But it’s not just the proliferation of cloud tools and remote work that’s accelerating the problem. In many ways, the mindset and strategies that security teams use to attack insider threat are actually aggravating the issue.

Conventional threat response is a game played in black and white

Until about 4 years ago, the predominant risk to data was from malware and other external threats, which meant hunt-and-block was the name of the game in enterprise security operations. In that world speed is critical. And the military mindset that guides the tools, strategies and language of data security and cybersecurity makes perfect sense: But defending against external actors and malware is a game played in black and white. There are clear demarcations between threats and non-threats. There is zero tolerance for malware — it needs to be definitively stopped.

The adversarial approach is logical: There are only good and bad actors, so there’s no discussion of how to get the bad actors to act…less bad. And there’s no need to bring in HR or Legal because these threats come from outside your organization — you just need to act fast to block the threat.

Insider Risk management is a game of nuance — played in full color

Insider Risk is a fundamentally different problem than malware or external threats for security teams, which means that protecting data from insiders requires a fundamentally different approach. Insider Risk isn’t a black-and-white game with clear sides; it’s a game of nuance, played in full color. These aren’t external bad actors — they’re your colleagues. But their inside access can lead to Insider Risk that causes more damage much faster. Some unintentionally expose data as they try to get work done faster, more easily and effectively. Then there’s the rare-but-alarming malicious insider, who uses their insider access to cover their tracks by making intentional IP theft blend in with the noise of everyday productivity.

Either way, Insider Risk is tightly intertwined with how your business operates. It’s an inherent quality of everyday actions and workflows — people editing, moving and sharing files; connecting remotely, outside the VPN and through cloud apps. And a decision to “stop the threat” has traditionally meant interrupting work.

Navigating this dynamic brings in the concept of risk tolerance. With companies increasingly building competitive advantage around innovation and agility — and the landmark shift toward remote/hybrid work models — the reality is that some Insider Risk is worth tolerating in exchange for value-producing productivity.

The conventional security mentality makes Insider Risk worse

Military-inspired language, strategies and mentality (e.g., hunting down and neutralizing threats) common for malware doesn’t work with Insider Risk. In fact, it only makes the problem worse. Put another way, applying the conventional security mentality to Insider Risk puts the security team in an antagonistic position with people that could be effective partners. The twitchy “trigger finger” on DLP, CASB and other traditional blocking tools shoot down far too much legitimate, valuable and harmless employee activity. This “friendly fire” impedes productivity and collaboration — and directly works against the speed, agility and innovation the C-suite is driving toward. Moreover, a DLP or CASB only alerts you to bad actions that you’ve already told it to look for–what about all of the other risk that you didn’t specify?

The association that results from a hunt-and-block approach can potentially heighten Insider Risk. Because while security teams are hunting down the rare malicious employee, they’re creating negative tension with the rest of the well-meaning-but-equally-risky employees. Turning the unintentional Insider Risk actors into adversaries pushes them to find new ways to work around tools and protocols — and pushes Insider Risk further into the shadows. The goal with these unintentional risky users shouldn’t be to “catch” end users doing risky things; the goal should be to get them to do the right things more often. You can’t persuade a hacker or a piece of malware to change behavior. But when it comes to your colleagues, simple education, delivered at the right time, can go a long way toward steering behaviors and building a security-aware culture — to getting end users working with you to mitigate harmful insider behaviors.

Protecting and enabling the business

No one wants to be a business blocker. And with more organizations prioritizing innovation, collaboration and agile productivity, security teams feel more pressure than ever: Leadership demands that you stop breaches and keep the company out of the headlines — yet impeding innovation and productivity could similarly cost security leaders their jobs.

Insider Risk is the biggest data security threat in the typical organization. And it requires an approach purpose-built to handle the specific nature of threats that come from inside an organization. Insider Risk Management programs stop data exposure with controls frameworks that take into account the severity of a risk and offer proportional options. IRM programs also streamline investigation and follow-up from multiple teams (security, management, legal, or HR) by reducing manual, repetitive, and/or error-prone tasks while also mitigating future risk with education. Education can reduce alert fatigue and drive secure work habits by sending relevant, bite-sized content to inform users, which are automatically triggered by the actions that put data at risk. This shift in approach results in expanded control over the data leaving your organization and secure work habits to decrease future chances of employees putting data at risk.

The post Insider Risk vs Malware – Why Insider Risk Requires a New Approach appeared first on Code42.

About the Author

As director of security operations at Code42, Nathan leads the team responsible for security tooling, red team exercises and responding to security events. Nathan joined Code42 in 2016, bringing experience from both the private and public sector, and is a graduate of the Masters of Science in Security Technologies (MSST) program at the University of Minnesota.

Profile Photo of Nathan Hunstad