This article contains information on building a successful Insider Risk Management (IRM) program, focusing on proactive strategies, empathetic investigations, and automated controls to mitigate risks, protect data, and ensure organizational security without disrupting workflows.
Overview
A successful Insider Risk Management (IRM) program requires response controls that automate resolution of everyday mistakes, block the unacceptable, and allow your security team to easily investigate what is unusual. In this course, we will cover how you can respond to the full spectrum of risk in a way that protects data without disrupting employees or burdening analysts.
Prerequisites
- You are an Incydr Administrator or Security Practitioner, with beginner to intermediate experience level.
- You are familiar with Incydr.
Introduction
How to Create a Successful Data Response Strategy
We suggest using a holistic approach across people, process and technology that includes empathetic investigations and automation in order to focus your time on actual insider threats rather than mistakes. However, the foundations start with clearly communicating expectations, and then layers in defense to minimize behavior drift across a continuum of control responses.
1. Set Expectations
Before you implement an Insider Risk Management program, you need to set transparent expectations with your users. It is critical to communicate your security policies and programs with your users so they can understand what is – and more importantly what is not – acceptable when it comes to sharing data. Setting the ground rules will not only get everyone on the same page, but will give you clear means to hold employees accountable when rules are broken.
2. Change Behavior
Once you have set expectations, you can focus on changing the behavior of users who will inevitably make non-malicious mistakes when it comes to data – they are only human after all. Real-time feedback to your users is critical when changing behavior. Having a program that can send tailored micro-training videos to users is an excellent way to hold users accountable.
3. Contain Threats
When an event happens, you need to be able to quickly and easily take action to minimize damage. You need to be able to quarantine an endpoint, remove or reduce system access, and revoke file sharing privileges on a user level. Once you’ve taken the appropriate action, you can conduct a thorough investigation into the event and determine the best course of action to secure the data and address the user, then escalate to business stakeholders.
4. Block Unacceptable Activity
Your highest risk users, like departing employees, contractors, and repeat offenders, pose a threat when sharing any data to destinations outside of your organization. By blocking activities for these users, you ensure the rest of your organization can continue to collaborate, while knowing data remains protected from the users most likely to cause harm.
Real-World Examples
Insider threats are notoriously challenging to detect. They could be a departing employee stockpiling data to get a leg up in their next job, a negligent remote worker connected to an unsecured network, or several other kinds of individuals. And one seemingly harmless move by a negligent contractor or malicious theft by a disgruntled employee can jeopardize your company’s data and IP. These situations can lead to financial or reputational damage, as well as a loss of competitive edge. Insider threats can affect companies of all sizes in all industries. These cases show the harm they can cause if companies don’t prevent or detect them.
In May of 2022, a research scientist at Yahoo named Qian Sang stole proprietary information about Yahoo’s AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor. He downloaded approximately 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job.
A few weeks after the incident, Yahoo realized that Sang had stolen data (and a competitive analysis of The Trade Desk) and sent him a cease-and-desist letter.
Yahoo has brought three separate charges against Sang, including theft of IP data. In its filing, Yahoo claims that Sang’s actions divested it of the exclusive control of its trade secrets, information that would give competitors an immense advantage.
Not all insider threats are malicious. In August 2022, several Microsoft employees exposed login credentials to the company’s GitHub infrastructure. The information would have given anyone, including attackers, access to Azure servers and potentially other internal Microsoft systems. Exposing this data, as well as Microsoft source code, could’ve had devastating effects on the enterprise and its customers.
While Microsoft refused to elaborate on what systems the credentials protected, an outsider may have had the opportunity to move to other points of interest after gaining initial access. If the mistake had exposed European Union (EU) customer information, Microsoft could have faced a GDPR fine of up to €20 million. Fortunately, cyber security firm spiderSilk spotted the leaked credentials and notified Microsoft. The tech giant found that no one accessed the sensitive data, and is taking steps to prevent it from happening again.
Unfortunately, phishing attacks are a common vector for insider threats. In July 2020, hackers compromised multiple high-profile Twitter accounts using a phone-based spearphishing campaign against Twitter employees to promote a bitcoin scam. Initially, attackers sought information about internal systems and processes. Eventually, they found the right workers to target and gained access to account support tools that helped them break into 130 Twitter accounts.
While the scam had a relatively minor financial impact on Twitter and victims received their money back, the incident highlights the stakes of the company’s influential role in the information market and its immense security vulnerabilities.
Insider threat management is complex. It often feels like you have one of two options. Option one, you can wait until an incident has occurred to start responding which means that you are too late and the damage has likely already been done. Or option two, you can proactively take excessive measures to shut down insider threats that can damage employee productivity and poison a company’s employee experience.
Instead of the two extremes, we recommend taking a “right sized” approach to responding to insider threats. Critical components of a right sized response to insider threats are comprehensive data visibility and clear incident response policies. These enable a company to detect a potential data breach in its early stages and take action before any damage is done.
People
Stakeholder Alignment
Most organizational plans, priorities and metrics are rooted in a “time to reward” mindset for their stakeholders. This is how decisions get made. Time to market, time to revenue, time to value are all intrinsic to nearly every decision made at an organization – including how employees get their day to day work done. This is evidenced by Annual Data Exposure Report findings:
- 63% of employees use unsanctioned applications weekly if not daily.
- Thus, 71% of enterprises lack visibility to sensitive data movement.
- Making employees 85% more likely to leak data than they were pre-COVID.
Business Risks
However, in order to benefit from a right size response strategy, your internal stakeholders must be aligned with how to prioritize business risk across the organization so that security can build a data loss prevention and response strategy that measures value for the entire company. This starts with a conversation between business owners and security to quantify how your organization’s exposure impacts market position, revenue and brand value.
In order to effectively manage Insider Risk, we urge organizations to focus on when the risk to the organization is highest – when there is the most to lose relative to market position, revenue or valuation. Here are a few examples of organizational change or business life cycles that happen across organizations of all sizes.
Mergers and acquisitions (M&A) elevate the risk of corporate data loss and theft. Not only do they commonly trigger employee reorganizations, redundancies and layoffs, but employees of the sell-side company may leave voluntarily, due to worries about their job security.
Imagine a scenario where a high-tech startup was acquired for its innovative software. Reorgs are announced, layoffs are rumored, and recruiters begin to target the software developers with a large compensation package. A developer takes the new job and transfers some source code to their personal cloud account thinking it will be useful in a new role. This loss of such IP, which represents much of the value of the M&A, is a dealmaker’s nightmare. The same can be said for data leaks pre/post an Initial Public Offering (IPO). Imagine if the organization’s secret sauce, their trade secrets, their crown jewels leaked prior to IPO or shortly after IPO – the impact could be devastating to investors and shareholders, not to mention the long-term impact of brand and reputation damage.
Changes in executive leadership and/or restructuring efforts is a common organizational change, but changes at the top and reorgs put corporate data at increased risk. When leaders change and employees move to new teams or inherit additional job responsibilities, they gain access to new information and systems. Additionally, such change can generate new risk factors. Employees may become a flight risk if they dislike their new leader or job. They may also worry that leadership change or a restructuring will result in a layoff due to job redundancies.
Like leadership changes and reorgs, layoffs also increase Insider Risk, because they are often rumored before they’re announced. Many will begin proactively searching for jobs because they fear for their financial security, and take corporate files they believe will help them while they’re at it. Additionally, layoffs result in many departing employees at once which is overwhelming for security teams who must ensure data remains protected. Not only are these departing employees more likely to take data with them when they leave, but they are more likely to be hurt and angry. Some may even wipe their computers clean and delete important work on their way out.
People Work Flow Considerations
It is important that before an event occurs, clearly outlined whose job is to do what. This is an example of a detailed approach, from an organizational roles and responsibility perspective. Our guidance is to start small and iterate often, until you feel confident that you have the right people to compliment the many types of actions that will be required from employee and business life cycle perspective. Every organization is different, but typically, at least the following departments/roles are involved during a data incident response process:
Example Response Organizational Structure
to ensure that all aspects of the business are being considered.
Identify Gaps and Communicate Trade-Offs
For your security team to proactively put into place the right people, process and technology to prevent Insider Risk, you first must know where you have potential gaps in order to prevent data leak and theft, i.e. Insider Risk. Further, in times of heightened data sensitivity, such as the ones mentioned above, C-level and Boards want assurances. Assurances that data use policies are being followed and data governance and controls are effective. Simply assuming policies are being followed and your processes and technology are effective creates a false sense of security and with that comes material risk to market position, competitive edge and brand value.
Looking for more in-depth information on a specific team or topic mentioned in this course? Check the Additional Resources section at the end of this course for additional modules.
Process
Consistency is Key
Playbooks, run books, manuals, and how-to guides are all designed to help those in a situation perform the steps needed to respond to the situation at hand. When it comes to a data loss response strategy, it's important for each team involved to know their specific duties and how they fit within the organization's larger investigations process. Not only does this make the stand down procedure easier, it also ensures a fair and consistent workplace for all involved.
Document the Ideal Process and Then Iterate
“Never trust, always verify” is critical to meeting the C-level and Board’s demands for process assurances – especially when the organization’s reputation at stake. To create assurances start by documenting your ideal data incident response process, and then identify the gaps and what to do about them. Below is an example of Google's data incident response playbook.
Data incident response example from Google
Incident Response Policy Template
Look for Gaps and Assess User Baseline Activities
Gaps in privileged access, policies and compliance, employee awareness and training and employee Shadow IT/Mirror IT usage are great places to start. To do so, conduct a quick assessment by monitoring all user activity, file movement and the vectors or destinations said files are moving to. If nearly two-thirds of employees use unsanctioned applications weekly to get their jobs done, odds are that sensitive corporate data is moving to and through these applications. In order for security to be adequately equipped to prevent corporate data leaks during times of lowered risk tolerance, you need to know where to start.
- Where do you trust sensitive data to be stored and who should have access?
- More importantly, what are the untrusted destinations sensitive data is moving to and who is moving it there?
Answering these fundamental questions arms security and the organization at large to ensure they not only put the right policies, governance and controls in place, but create assurances a sensitive data leak does not introduce material risk to a product launch, customer deal, partner contract, M&A, IPO, organizational change or technology rollout.
Best Practices for Data Incident Response
If you identify file movement that is unauthorized, start by assuming that the user did not intend anything malicious. Notify the user of the event and remind them of corporate policy. In most cases, the file misuse was unintentional. Taking an empathetic approach makes your users allies instead of adversaries, and helps them be more compliant in the future. Use Incydr Instructor to educate your users about proper file handling.
Consult with your insider risk working group or cross functional team members to discuss workflow processes for the range of incident severity types. For information on creating an insider risk working group, see our video series 8 Steps to Building an Insider Threat Program, and our article in this series on developing an insider risk program.
Decide when to review exposures, for example:
- When anomalies are observed?
- When alerts are received?
- When events that meet certain criteria are received in your security operation center (SOC) platform?
- When alerts from an endpoint detection and response (EDR) system meet certain criteria?
Determine which events to escalate based on their severity and frequency and whether they are intentional:
- Severity Type 1 / Frequency Volume 1-X: Inadvertent/non-malicious data exfiltration, non-strategic asset
- Severity Type 2 / Frequency Volume 1: Inadvertent/non-malicious data exfiltration, strategic asset
- Severity Type 3 / Frequency Volume 2-4: Potentially malicious data exfiltration, strategic asset
Formalize the communications to send in response to exposures with business team members, human resources, and legal to ensure consensus. For an example process, see the section on building workflows below.
The following table is an example of defining severity levels to be used in incident response. Keep in mind this is an example only; you must develop your own set severity levels.
When we are talking about investigations, escalations and triage, we need to make sure that the process works, is being followed and applied to all employees equally. Also, it relates back to the need for buy-in, clearly defined goals and outcomes and connection to organizational values. Then, make sure that everyone is on the same page. If not, your written processes and your “actual” processes will create misalignment, which produces vulnerabilities or blind spots.
Check your blind spots
Security
Security will be in charge of detecting any risk events and performing any follow-up investigation. The investigation workflow should be documented, including thresholds and notification requirements. During an investigation, if security is made aware of an employee's intent to depart, this can help confirm the appropriate process and urgency. An investigation should be properly tracked in a case management system. A documented investigation procedure should include high and critical risk situations in which stakeholders such as HR and Legal are brought in to determine the appropriate action(s).
Follow the highlighted path to see an example workflow.
As with any insider risk investigation, maintaining the privacy of and respect for the affected individual(s) is of the utmost importance. Some organizations require analysts who investigate insider risk events to sign a non-disclosure agreement (NDA) to maintain confidentiality.
What Policies Should be in Place?
Every organization is different, so the required policies will also be different for every organization. Organizations may also have a different name for a policy, or have a policy within a larger document (e.g. maybe the acceptable use policy is inside of the larger corporate security policy). With that in mind, here are a few of the key principles that should be documented throughout the employee's tenure and available for reference at their departure:
- Who owns information created by the company or while on the company time.
- What tools and resources can be used.
- What can(not) be kept on company-owned resources.
- Personal use of company-owned resources and/or Bring Your Own Device (BYOD).
- Data classification and how to handle data at each classification.
Still not sure? Take a look at our Acceptable Use Policy template to get started.
Looking for more in-depth information on a specific team or topic mentioned in this course? Check the Additional Resources section at the end of this course for additional modules.
Technology
Data risk isn’t black and white – it’s a spectrum.
Incydr Overview
Incydr is designed to help detect risk events: suspicious file movement, unapproved sharing, and exfiltration activities. It is the only Insider Risk Management solution that provides security teams with the full spectrum of response controls needed to address insider threats and build a security-first culture that reduces risk. Only with Incydr, you can:
- Automatically send tailored micro-training to correct employee mistakes as they happen – driving down event volume and risk to data.
- Contain insider threats and speed investigations, with both integrated case management and access to file contents.
- Block unacceptable data movement without the management burden, inaccuracy, and endpoint impact of content-based policies.
Our Approach to Blocking
Our approach to blocking is focused on the user populations who represent the greatest risk to your business.
Watchlists are used by Incydr to group and manage populations of employees with similar risk-traits. As such, watchlists will be used to configure blocking.
Preventative controls can be targeted for specific employees using watchlist settings. Employees can be assigned to watchlists in a number of ways:
- Manually (via alerts, user profiles, or directly from watchlist settings).
- Automatically (via Identity management or HRIS attributes).
- Custom integrations with SOAR and other workflow tools.
Data collected by Incydr shows web browsers are one of the most common methods used to exfiltrate data. During a file upload, Incydr evaluates your list of trusted activity to determine whether the upload to that specific domain should be blocked. If the destination URL is specified in your trusted activity list, the upload is considered “Trusted” and allowed. Otherwise, it’s blocked.
Additionally, there are a number of situations where the “URL” or “Tab Title” information cannot be evaluated for trust, as the metadata collected is not unique between corporate and personal activity. In the case of uploads to Google Drive, OneDrive, Box, Microsoft 365 email, Gmail, and Slack, we will analyze the site’s logged in username to evaluate trust. This control requires that the Incydr security extension is deployed to web browsers used by employees.
Historically, Incydr’s monitoring has focused on the movement and exfiltration of files. As employees become more aware of security tools and controls around file movement, they are likely to consider alternative avenues. One of those avenues may include using the operating system’s clipboard to copy and paste either text or files into untrusted destinations like AI tools, personal email messages, or note taking applications.
When employees paste a file or text, Incydr evaluates your list of trusted activity to determine whether pasting to that specific domain should be blocked. To avoid interrupting employee workflows, this blocking approach evaluates where the data was copied from. As a result:
- When an employee copies data from an untrusted website source, it can be pasted to either a trusted or untrusted website destination.
-
Incydr only blocks pasting clipboard text contents greater than 50 characters, and will not block pasting into any password field.
This approach enables employees to copy and paste short phrases, passwords, and URLs without interrupting their typical workflow.
Additional Response Controls
- Incydr's Cases help security manage and respond to investigations with tools that collect, organize, and retain user file activity.(opens in a new tab)
- By taking an Empathetic Investigations approach, security is in a much better place to understand why employees are making mistakes and breaking policy. With this understanding, security teams can offer employees the assistance and guidance they truly need to make better decisions with company data.
- Incydr's Preventative Controls allow for organizations to choose the appropriate response method depending on the action, up to and including blocking of the respective action.
Example Work Flow
Data doesn’t move outside your organization by itself. It’s your employees who move it. Data loss from insiders is a growing concern for organizations. In fact, there was a 32% year-over-year average increase in the number of insider events this past year, equating to an average of 300 events per company per year. And it’s not slowing down. 71% of companies expect data loss from insider events to increase in the next 12 months. This increase in events will create more work for your security teams who are already stretched thin. In order to respond to these increasing events you need a program that’s both scalable and effective.
Departing employee work flow example.
Incydr Instructor is specifically designed for adult learning to guide employees and help companies prevent and respond to risk events. Instructor's proactive and situational videos are designed to be given before an event occurs (such as annual training or when a role change occurs), while responsive videos can be triggered to send after certain risk criteria have been met.
(To view any videos mentioned below, navigate to the Instructor page in your console, or reach out to your CSM for more information).
Proactive
Proactive lessons promote safe security and data handling. These lessons presume positive intent and teach employees security best practices to include reminder for all users about the risks they pose to data in their day-to-day work and how to avoid them. Additionally, we provide Templates (requires login) to help keep company data ownership in mind throughout the employee lifecycle.
Situational
Situational lessons empower a more risk-aware workforce based on the employee lifecycle. These lessons are engaging, and teach users how to handle data as their roles and responsibilities change. Instructor includes multiple video versions, depending on the role of the recipient.
Responsive
Responsive lessons provide just-in-time training as soon as a user makes a mistake. These lessons are non-accusatory and personable, which allows users to learn from their mistakes and build a positive relationship with the security team. Instructor has a library of videos that correlate with the risk setting detection capabilities of Incydr.
The Incydr Ecosystem is a growing network of strategic partnerships and technology integrations that enable organizations to speed Insider Risk detection and response.
Ecosystem Integrations
Incydr and Instructor were both designed to fit within an organization's larger ecosystem. In addition to Incydr's built-in detection and response capabilities, integrating with an HRIS, SIEM, and/or SOAR can speed up workflows, collect information in a central location, and perform additional response tasks.
There are many ways to integrate Incydr.
Reach out to your CSM or our sales team for more information.
Summary
As companies launch new flexible work policies, software for monitoring employees’ productivity is gaining popularity worldwide. CISOs will overcorrect by reducing the scope of insider threat programs, thus, increasing risk. They must educate their organization about the program’s benefits and ensure employees understand the boundaries that prevent disproportionate and unethical monitoring.
Forrester Predictions 2022: Cybersecurity, Risk and Privacy
Communicate, Prepare and Iterate
Building a data incident response strategy can feel overwhelming, however we believe that you can respond to the full spectrum of risk in a way that protects data without disrupting employees or burdening analysts.
- Ally the business with security to protect IP while ensuring both security and employees can work productively and without friction.
- Tailor your response to the offender and offense.
- Detect data theft by pairing full cloud and endpoint visibility with contextual prioritization and file contents. And by reducing your blind spots, you can improve your overall risk posture across the entire organization .
Knowledge Check
Ready to test your skills on data incident response strategy?
Question One: Insider threats are notoriously challenging to detect because: (Choose all that apply)
- They can come from a departing employee stockpiling data to get a leg up in their next job.
- A negligent remote worker connected to an unsecured network.
- Other.
The answer is 1, 2 & 3.
Question Two: What is an example policy that lets employees know what they can and cannot do with company resources? (Choose one)
- Bring Your Own Device (BYOD) Policy.
- Acceptable Use Policy.
- Data Deletion Attestation.
- Data Disclosure Policy.
The answer is 2.
Question Three: Security leaders can start detecting insider threat indicators before damage occurs by implementing strategies for insider threat prevention — including using software that monitors for data exfiltration from insiders. (Choose one)
- True.
- False.
The answer is True.
Question Four: Match the appropriate Instructor video category with its description.
- Responsive.
- Situational.
- Proactive.
- These lessons provide just-in-time training as soon as a user makes a mistake.
- These lessons empower a more risk-aware workforce based on the employee lifecycle.
- These lessons promote safe security and data handling from the start.
The answer is:
- Responsive - These lessons provide just-in-time training as soon as a user makes a mistake.
- Situational - These lessons empower a more risk-aware workforce based on the employee lifecycle.
- Proactive - These lessons promote safe security and data handling from the start.
Additional Resources
People
Empathetic Investigations Course. Instead of investigating employees the same way we investigate threats from external actors, it’s time to take a more empathetic approach to investigations.
Process
Response Playbooks
Creating response playbooks can ensure everyone knows their responsibility and what the process is during and investigation.
Attestation Template
Organizations may modify and distribute to employees in the event they find themselves implicated in an Insider Risk Data Incident. Consult with your General Counsel prior to utilizing this template.
Unauthorized Data Transfer & Deletion Attestation Template
Getting Started with Incydr
General Resources
Questions or Comments?
Reach out to your Customer Success Manager (CSM).
Comments
Please sign in to leave a comment.