Incident Response

Learn about common Insider Risk incident response challenges and how Incydr™ helps solve them

Start my free trial

What is incident response?

Incident response is the structured methodology by which an organization addresses and manages a security incident, such as a breach. SANS Institute has defined a 5-phase framework for incident response which includes preparation, identification, containment, eradication and recovery. These incident response activities are typically carried out by an organization's CIRT (computer—or cyber—incident response team). The team may partner with other business functions such as public relations and legal.

Corporate response to Insider Risk incidents

Organizations must be equipped to quickly investigate and respond when Insider Risk occurs. One way to prepare is by creating detailed response plans for incident scenarios. Insider Risk scenarios should include high-impact data leak events such as:

  • accidental leak of customer information
  • an employee leaking strategic files to a competitor
  • a contractor taking files at the end of their contract
  • files publicly exposed from within Google Drive or another corporate system
  • IP theft
  • corporate espionage
  • malicious destruction of files

Incident response plans should be created and practiced by a cross-functional team with stakeholders from HR, legal, security and public relations. The plans should consider technical capabilities that enable fast detection of Insider Risk activity. They should also consider the most appropriate response for each scenario. It is common practice for Insider Risk incidents to require non-technical responses such as personal communication and disciplinary or legal action.

Common challenges with Insider Risk response

Delayed identification due to poor risk visibility
According to the Verizon Insider Threat Report, the majority of insider risk breaches take months if not years to discover. Code42 research shows these breaches often occur despite having DLP in place. For this reason, security teams are focused on prioritizing faster detection and better risk intelligence.

Difficulty establishing sufficient evidence
Organizations who do not have file-focused protection solutions in place struggle to put together an accurate account following an incident. This makes investigations incredibly time-consuming. Often, security teams must piece together logs from various endpoint and network security tools. Organizations who do not have sufficient evidence may need to spend time and money to perform outsourced computer forensics.

Poor response time
Due to poor detection and long investigation times, the mean time to respond (MTTR) to an Insider Risk incident is often months after the incident occurred. Unfortunately, poor response times result in even greater reputational and competitive damage. The best way to improve your MTTR is to speed the time it takes to detect and investigate Insider Risk and prepare detailed response plans for incident scenarios.

Incident response trends


of enterprises do not have an insider threat response process.



of data breaches take months or years to discover.

(Verizon 2019 Insider Threat Report)


of organizations breached by insider threat had a DLP solution in place at the time.

(Code42 Data Exposure Report 2019)

Incydr Solution

Incydr is a SaaS data risk detection and response product. It enables organizations to detect and respond to data loss, leak and theft on computers and via corporate cloud and email services.

An agent continuously monitors all file activity on corporate Mac, Windows and Linux computers to detect exfiltration via web, apps and removable media. Direct integrations to corporate cloud services like Google Drive and OneDrive detect when employees share files from computers and phones. Integrations with corporate email services such as Microsoft Office 365 and Gmail detect when file attachments are sent to untrusted recipients.

Show me how it works

Using Incydr to speed response to Insider Risk

Detect high-risk activity
See high-risk activity including browser uploads, email attachments, and file transfers to USB, Slack, Dropbox and iCloud.

Quickly investigate Insider Risk events
Incydr offers intuitive investigation workflows so you can collect detailed evidence. This includes the ability to search all file activity across your entire organization in seconds, even if devices are offline.

Perform a right-sized response
Automate remediation with SOAR, inform security awareness training strategies and substantiate insider threat litigation.