Insider threats are a growing phenomenon, but many businesses aren’t yet doing enough to protect themselves effectively.
In Europe and the Middle East, for example, 70% of organizations don’t have a strategy for stopping insider threats. For the most part, they’re being held back by budgetary constraints and a lack of internal expertise. Others simply don’t see insider threats as a substantial enough issue to invest in. In other words, senior leaders don’t understand the threat enough to make it a priority.
The problem doesn’t stop there, however. Those that do see the value in stopping insider threats often work with software solutions that rely on traditional models for insider risk management (IRM). While this is a good step in the right direction, many IRM solutions rely on a simplistic approach that doesn’t cover all the bases. They’re often reactive in nature, focusing on behavioral flags rather than taking a holistic view of how insiders are engaging with data and limiting trust and permissions.
To truly stay ahead of the risk of insider threats, companies need to take an integrated approach that helps them be proactive and comprehensive, without impacting how effectively people do their jobs. In this article, we’re exploring what that looks like in practice from a technical standpoint.
The risk of insider threats
Before we explore what an integrated approach to combating insider threats looks like, it’s important to understand the risks posed by this attack vector. Insider threats are defined as employees, contractors, or partners who have access to sensitive data within your organization and expose, leverage, or sell that data. This can be done intentionally — either by a disgruntled employee or someone who has been compromised — or accidentally by someone making an error when sharing or storing data.
Regardless of the intent, insider threats can have a massive negative impact on a company. Depending on the type of data that’s exfiltrated by an insider threat, a company can lose proprietary information that sets it apart from competitors, expose customer data and suffer reputational damage as a result, or even spend millions of dollars on fines from data privacy regulators. As such, companies need a strong, reliable approach to mitigating these threats.
The limitations of traditional insider risk management
The main problem with most insider risk products is that they don’t do enough. They often take a passive approach, alerting you to threats without actually stopping them — and the alerts aren’t always reliable. In practice, these tools are limited by:
- Only tracking behavior, not the data being handled. This means IRMs can’t connect specific behaviors to the data being used, opening the door to false alarms and missed nefarious activity.
- An inability to stop data from leaving. Most IRMs are designed to analyze event logs, but they don’t have the ability to take action when data is at risk.
- Alerts that lack the context needed to investigate. Security analysts need specific information to track a potential vulnerability, but IRM alerts typically don’t include that context.
According to the Ponemon Institute, insider threats have become one of the leading causes in data breaches, with the cost of each incident averaging $6.6 million. The current approach isn’t working. Companies simply can’t afford to take a traditional, passive approach when it comes to managing their insider threats.
What a comprehensive approach looks like
So, if traditional IRM tools aren’t doing enough, what’s the alternative? An integrated approach to addressing insider threats exists beyond detection. Rather than simply identifying an issue, a modern insider threat solution goes further, intervening the moment the data is at risk and giving security analysts all the information they need to investigate and resolve the problem.
When compared to traditional solutions, an integrated approach to IRM stands out with capabilities including:
- Taking a collective approach of both behavioral analysis and data analysis. This ensures that threats are detected accurately and the number of false positives are vastly reduced. In other words, it makes an organization better able to identify actual insider threats instead of following up on everyday behaviors that aren’t risky.
- Identifying threats that take place over a long period of time. Whether they’re working alone or with a bad actor on the outside, compromised insiders will often take a low-and-slow approach to avoid detection. Robust IRM solutions account for this with an extensive record of events where they can find correlating activities that point to an attack.
- Intervening upon detection. Leading IRM solutions are built to take immediate action once an insider threat has been detected. They block data exfiltration across all channels, including cloud, email, website, removable storage devices, Bluetooth-connected devices, and more.
Other comprehensive features in an integrated IRM solution include increased data visibility, customizable proactive policies across common exfiltration channels, contextual data classification, and forensic data capturing.
Taking insider risk management to the next level
As insider threats become more sophisticated — and expensive — so must the technologies and platforms that mitigate them. This is why, as they continue to refine their offerings, leading solutions are taking an increasingly integrated approach that goes beyond insider risk management as we know it.
New and refined features could include:
- Collecting forensic-level events without physical access to a device, so that every user action related to a piece of data is captured and teams can review incidents retrospectively.
- Educating users on appropriate behavior with real-time popups. This approach is more effective than email notifications established through in-app configurations.
- Protecting data that’s obscured by encryption or compression, a typical way that insider threats exfiltrate sensitive data. This keeps data safe and out of nefarious hands.
- Preventing data from being sent to encrypted apps that are outside of network controls. This proactive approach ensures that the data is kept where it’s meant to, and insider threats can’t circumnavigate existing protections.
- Identify risky data ingress. If an employee brings in protected data from another company, that could make your organization liable. Therefore, a robust IRM solution should also pay attention to the data that enters your business and prevent it from being introduced in sensitive areas.
The insider threat landscape is constantly evolving. Companies that want to remain secure and protect themselves from malicious or negligent insiders need to adopt comprehensive solutions, removing the burden from the organization. Beyond these technical considerations, it’s also important to remember that building a security-focused culture, one where employees understand the risk of insider threats and what they can do to mitigate them, is another vital element. Delivering these two approaches in parallel is what will make the insider threat program as robust as it can be.
Ali Cameron is a content marketer that specializes in the cybersecurity
and B2B SaaS space. Besides writing for Tripwire's State of Security blog,
she's also written for brands including Okta, Salesforce, and Microsoft.
Taking an unusual route into the world of content, Ali started her career as
a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that's well suited for writing in the cybersecurity space. She is also a regular writer for Bora.