Incydr - Building an Insider Risk Management (IRM) Program

This article contains information on building and maturing an Insider Risk Management (IRM) Program, including key components like people, process, and technology, risk mitigation strategies, employee training, and leveraging tools like Incydr for detection and response.

Overview

IRM program, data loss protection program, data protection program, insider threat program, insider risk program, and employee trust program are all names companies use to describe their efforts to protect its most-important assets: its people and its data. This course will examine some of the different risks to businesses and how a focused effort across people, process, and technology can help mitigate those risks.

Prerequisites

• You are an  Incydr Administrator or Security Practitioner, with beginner to intermediate experience level.
• You are familiar with Incydr.

Before You Begin

Insider Risk Management (IRM) Programs are designed to help organizations protect what is most important to you: your people and your assets. But whether an organization is just getting started or has an established Insider Risk Management Program, there are some key things to consider.

Traditional cybersecurity programs have focused on preventing malicious actors from breaching the digital perimeter and robbing intellectual property. But that's only one source of cybersecurity risks for an organization.
Another source?
Insiders.

Start With Why

It's important to understand the underlying reason(s) for why it is being developed. The board or an exec may have asked for it, but why is it needed and why is it needed now? (e.g. is it a privacy compliance issue, a board requirement, or SEC regulation prompting the request?)
Understanding the answers to these questions will help guide the creation of any programmatic elements and will help dictate who should be involved in the development process.

Examples of Different Types of Business Risks

Businesses face five primary types of risk, which may come from internally-produced actions (such as launching a new product, or insider threat), and external actions (such as a natural disaster, or malicious actor/hacker). These risk categories are broad and can be used to scope the type of risk and associated mitigation techniques.

• Strategic: Strategic risks occur when a business' operations deviate from its business model or plan.
• Operational: Operational risks are typically caused by events that interrupt the day-to-day procedures of the company.
• Financial: Financial risks refer to the ebb and flow of the organization's money.
• Compliance / Legal: Compliance and legal risks arise when the company is in violation of municipal, state, federal, or international laws and regulations.
• Reputational: Reputational risk arise from negative events that impact the business' public image.

How To Approach Insider Risk Mitigation

Risk Mitigation is a Balancing Act

Viewing insider risk mitigation as a three-legged stool can be helpful because each leg of the stool (people, process, and technology) must be in approximate balance when it comes to efforts and resources. If one leg is a different length, it can throw off the entire balance of the stool. It doesn’t have to be perfectly level, but it should be close.
This holistic approach is needed to anticipate, plan, and mitigate “knowable” business risks. And by having a three-legged approach, there are multiple ways to affect the outcome.
Looking at risk across people, process, and technology helps to define boundaries of what is acceptable and unacceptable behavior.

The Importance of Culture

Part of starting with why and taking a three-legged approach is to confirm alignment with the intended and existing company culture. Some organizations have a very low tolerance on acceptable insider behavior, while others have a much higher tolerance; some are adamant about constant communication, while others remain tight-lipped.
When it comes to IRM and company culture, there are three core elements: transparency, training, and trust. Each element leads to the next. By being transparent on what the organization is doing to protect data and why it is doing so, the employees will better understand the intentions and will better understand the why and what of the training. The combination of transparency and training breeds trust within the organization and makes a more risk-aware culture.

What's In A Name?

One thing that can cause unease on an employee base is a lack of transparency when a new program is created to focus on insiders creating risk for the organization. To help counter this fear, some organizations have chosen different names for this program. INSA (the Intelligence and National Security Alliance) put out a study in 2022 examining naming conventions for IRM Programs, which can be found here.
No matter what a company decides to name its program, it's important that it aligns with the company's culture.

Maturity Model and Success Criteria

Program Success Criteria

After initial development, IRM Programs will shift focus on continuous improvement. Risk mitigation is never done; however, there are many opportunities for success along the way.

When thinking about program maturity, Incydr uses a five-level maturity continuum. Not all organizations will strive for an Optimized level of program maturity, nor should they. Many organizations may find that a Proactive state is their desired level and there are diminishing returns by maturing beyond that point. That's okay. It's important to remember that every organization is different and must choose what works best for it and it alone.

Don't just take our word for it

Below are two other maturity frameworks, both are put out by United States federal government, that define assessment criteria and maturity levels.

The National Insider Threat Task Force (NITTF) provides a Maturity Framework for companies to gauge their program maturity.	The Cybersecurity and Infrastructure Security Agency (CISA) provides a number of resources for companies to perform a self assessment of their program maturity and insider risk mitigation practices.

People

Executive Buy-In

Ideally, protecting intellectual property and critical assets is important to everyone within an organization. In order to accent this importance, the work should not be done alone or segregated from the rest of the company. No matter how good the team of diverse stakeholders may be, success isn’t guaranteed without getting definitive buy-in from leadership.
Seasoned executives are driven by business objectives, objective data, the bottom line, and a good dose of practicality and reason–not fear. A clearly-defined, well-articulated IRM Program should also be founded on those same executive principles.

Insider Risk Working Group

Who are the appropriate stakeholders at the organization to define what assets are important and what risks exist for those assets? This will vary for every company, but typically, at least Security, Information Technology (IT), Legal, and Human Resources (HR)/People are involved. If a company has departments focused on Governance, Risk, and Compliance (GRC) or Privacy these are also departments to include in conversations early and often.

Process

Transparency and Communication

Being transparent and overly communicative about the intent of an IRM Program and the basics of how it is being done are key drivers is building company buy-in and maturing program development. When rolling out a new IRM Program or a new IRM technology (e.g. Incydr), it's best to inform your employees prior to and during deployment and issue reminders on a regular basis afterwards via annual training. This helps create a culture of transparency, which can lead to understanding, but most importantly, it helps prevent exfiltrations from happening in the first place. By informing and training the employee base on what is and what is not acceptable, an IRM Program can lead to positive changes in security behavior and an overall increase in company risk posture altogether.

Lifecycles

Not all data has the same value, nor does the value stay the same throughout its life. By using this compass as a guide, an Insider Risk Working Group (IRWG) can begin determining the appropriate value and risks to assets. Who has access to the data? Where does the data live and how can it be accessed? Why do we care about the data? and When is the data important?
For example, a company going through a "quiet period" in the United States is not allowed to share or market certain materials outside of specific teams, so this information has a who (finance), where (non-finance), when (during the quiet period), and why (because the SEC regulates it). Once the quiet period is over, much of that same data is then made freely available to the public and may no longer require the same amount of protection.
The data lifecycle goes from creation to destruction, but it is heavily influenced by both the employee and business lifecycles.

Employee Lifecycle

Employees present risk throughout their tenure with an organization. The IRWG should provide guidance on policies and procedures to put in place to ensure data protection is handled throughout the employee lifecycle.
As new employees, they likely aren't familiar with the company's security policies or may bring old / bad habits with them from a previous employer.
During their tenure, employees change roles and acquire privilege creep, may be put on a performance improvement plan (PIP), or there may be a work or home life event that influences their on-the-job performance.
And of course, at some point, employees will leave the organization, and as discovered in Incydr's Data Exposure report, over 60% of employees admit to taking data from a previous employer to their new organization.

Business Lifecycle

Employees aren't the only entity that has a lifecycle of changes, the company itself has one of its own. Before, during, and after any major company changes, risks are also increased. Before layoffs, employees can sense a change is coming and may begin preparing to be let go. During the reduction in force (RIF) process, risk remains high until after the employees' access has been fully removed.
The same ebb and flow of risk occurs before, during, and after product launches, reporting statements, and other organizational changes.
The IRWG should have clear lines of communication to share pending company events that may drive risk so that the appropriate stakeholders can be prepared to take action to protect, detect, and respond to incidents of insider risk.

Response

Mistakes happen, so the final primary component of an IRM Program is to have tiered investigation and response procedures in place. Since not all data carries the same level of risk, not all investigations and responses will require the same amount of resources and effort. The appropriate teams should gather and create playbooks that cover from event discovery through response and recovery and includes tiered response options to contain, resolve, and educate.

Technology

Incydr is designed to help detect risk events: suspicious file movement, unapproved sharing, and exfiltration activities.
One of the key components of an IRM Program is to be able to trust and verify that employees understand and are following company policies and procedures. Incydr is purpose-built to adhere to IRM Program best practices and help organizations monitor their data for risky activity.

Detection

Incydr's Watchlists are specifically designed to help security teams monitor for risk events performed by employees of higher risk. Incydr can be integrated with Human Resources Information Systems (HRIS) for increased visibility at speed.

• Watchlist Management
• Watchlist Monitoring

Incydr's Alerts allow security teams to configure alert rules that are triggered when certain actions and/or thresholds are met with data. (opens in a new tab)

• Alert Rules
• Reviewing Alerts

Incydr's Risk Exposure Dashboard is the central location for security teams to review an overview of the risk activity within their environment and determine whether an inquiry or investigation is required.

Response

• Incydr's Cases help security teams manage and respond to investigations with tools that collect, organize, and retain user file activity.
• By taking an Empathetic Investigations approach, security is in a much better place to understand why employees are making mistakes and breaking policy. With this understanding, security teams can offer employees the assistance and guidance they truly need to make better decisions with company data.
• Incydr's Preventative Controls allow for organizations to choose the appropriate response method depending on the action, up to and including blocking of the respective action.

Incydr Instructor is specifically designed for adult learning to guide employees and help companies prevent and respond to risk events. Instructor's proactive and situational videos are designed to be given before an event occurs (such as annual training or when a role change occurs), while responsive videos can be triggered to send after certain risk criteria have been met.
(To view any videos mentioned below, navigate to the Instructor page in your console or reach out to your CSM for more information).

Proactive

Proactive lessons promote safe security and data handling. These lessons presume positive intent and teach employees security best practices. Generally, these lessons should be assigned to new employees and required annually for all employees

• Insider Risk & You: Remind users about the risks we all pose to data in our day-to-day work, and how to avoid them.
• New IRM Program: Introduce your employees to the IRM program and provide best practices in protecting the company from risk.
• Avoiding Common Data Risks: Various platform-specific videos that cover best practices.
• Risk of Not Separating Personal / Business: Get new employees off to the right start in understanding the importance of storing and sharing files securely.

Situational

Situational lessons empower a more risk-aware workforce based on the employee lifecycle. These lessons are engaging and teach users how to handle data as their roles and responsibilities change.

Responsive

Responsive lessons provide just-in-time training as soon as a user makes a mistake. These lessons are non-accusatory and personable, which allows users to learn from their mistakes and build a positive relationship with the security team.
Instructor's library of responsive videos can be configured to trigger when specific actions that correlate with the risk setting detection capabilities of Incydr occur.

Ecosystem Integrations

Incydr and Instructor were both designed to fit within an organization's larger ecosystem. In addition to Incydr's built-in detection and response capabilities, integrating with an HRIS, SIEM, and/or SOAR can speed up workflows, collect information in a central location, and perform additional response tasks.

• Incydr Ecosystem Overview
• Incydr Integration Resources
• Incydr Developer Portal

There are many ways to integrate Incydr.
Reach out to your CSM or our sales team for more information.

Summary

Find The Balance

Developing an IRM Program is a complex process that involves diverse stakeholders, policies and procedures, and the appropriate technologies to detect, protect, and respond to insider risks. By viewing the program development as part of a three-legged stool approach to risk management, organizations can balance the best practices across people, process, and technology.

Knowledge Check

Let's see what we've learned about how to build an IRM Program!

Question One: It is a best practice keep the creation and implementation of an IRM Program secret.
 

• True
• False

Question Two: Organizations should consider technology that provides detection, protection, and response capabilities.
 

• True
• False

Question Three: What is not one of the five primary business risks?
 

1. Legal/Compliance
2. Reputational
3. Natural
4. Financial

Additional Resources

The items below, provided by Incydr, include downloadable documents and templates to use when developing and maturing an IRM Program.

Security Program Governance Template.

Ready for what's next?

Check out these resources and best practices from other industry leaders in the insider risk space.

• SEI at Carnegie Mellon University: Common Sense Guide to Mitigating Insider Threats (7th ed.)
  Best Practice 2: Develop a Formalized Insider Risk Management Program (pg. 18-32)
• CISA: Insider Threat Mitigation Guide
  Chapter 3: Building an Insider Threat Mitigation Program (pg. 20-36)

Getting Started with Incydr

• Getting started with Incydr
• Getting started with Instructor
• Incydr ecosystem integrations

General Resources

• Incydr articles

Questions or Comments?

Reach out to your Customer Success Manager (CSM).