Insider Risk

Learn about common insider risk challenges and how IncydrTM helps solve them

Contact Sales

More collaboration, more insider risk

The way we work has changed. Fast-paced, people-first cultures are the norm. Employees demand flexible ways to do their work. Tools like Slack, Zoom, Box and Google Drive make employees more collaborative, productive and virtual. Unfortunately, they also make corporate data more invisible and portable. As digital collaboration has increased, so too has insider risk.

What is insider risk vs insider threat?

Insider risk occurs when data exposure jeopardizes the well-being of a company and its employees, customers or partners. Mitigating data exposure is the primary way for security teams to address insider risk.

Insider threat, on the other hand, is more focused on the person putting data at risk. One of the most respected definitions of insider threat comes from Carnegie Mellon's CERT Insider Threat Center: "Insider Threat--the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."

Distinguishing between insider risk and insider threat might feel like splitting hairs, but it's an important distinction. It's not enough to detect and respond to insider threats as they happen. Security teams first need a strategic understanding of what data is at risk, how effectively data is protected from exposure, and how vulnerable the organization is to future insider threats.

Trends increasing insider risk


of CISOs believe a fast-paced collaborative culture puts the company at greater risk.

(Code42 Data Exposure Report 2019)


of data breaches involve an insider.

(Code42 Data Exposure Report 2019)


of enterprises are unable to consistently detect insider threats.

(Bitglass 2019 Insider Threat Report)


of data breaches take months or years to discover.

(Verizon 2019 Insider Threat Report)


of organizations find it difficult to assess a threat's severity.

(HelpNet Security 2019)


of security professionals identify significant weaknesses with solutions such as DLP, UEBA and UAM.


Weaknesses of traditional solutions

No company-wide view of data risk
Products that primarily provide a user-centric view of activity, such as User Activity Monitoring (UAM), do not allow you to accurately evaluate company-wide data risk. This makes it difficult to identify trends in high-risk activity or review all activity of a given type, such as files saved to Dropbox.

Limited protection of IP and other high-value files
Products like endpoint Data Loss Prevention (DLP) only monitor activities that violate a policy. This leads to blind spots unless policies are perfectly written, implemented and maintained. Often, policies are only created to protect compliance data. This leaves many business files, like customer lists, financial reports, product roadmaps and marketing strategies, vulnerable to insider threat.

Difficult deployment and management
Products with long deployment times, such as DLP and Cloud Access Security Broker (CASB) delay effective data protection by taking organizations months if not years to fully implement. Coupled with this, products that significantly impact device performance or have a high per-user cost are often only deployed in pockets of the organization. This limits security visibility into data risk.

Impact on corporate culture and collaboration
Products that block user activities run the risk of false-positive alerts getting in the way of legitimate employee activity. This can encourage employees to circumvent security controls or pressure security teams into turning off blocking functionality. Additionally, when security teams view insider threat as only a malicious issue rather than well-intentioned or accidental, they put the focus on surveilling users rather than protecting data. This creates a police vs. partner mentality within the organization.

Incydr Solution

3 Dimensions to Insider Risk:
Files, Vectors and Users

The foundation of Incydr's ability to detect and respond to data risk comes from monitoring all file activity regardless of what is considered acceptable or unacceptable by security policy. Incydr uses rich context on the vector, file and user to determine which activities represent real risk.

Incydr's unique approach to file event monitoring reduces security overhead while also detecting risk that goes unnoticed by technologies like DLP and UAM.

Learn more about Incydr

Mitigate insider risk without disrupting collaboration

Detect data exposure
See high-risk activity including browser uploads, email attachments, and file transfers to USB, Slack, Dropbox and iCloud.

Investigate insider threats
Identify the employees most likely to put data at risk and get a prioritized list of employees whose recent file activity requires investigation.

Quickly take action
Automate remediation with SOAR, inform security awareness training strategies and substantiate insider threat litigation.