Live Recap: Developing a Holistic Insider Risk Program

CODE42

Complacency is just as important as
mal-intent

Not caring about something is just another way of being malicious. Whether it’s intentional or just due to complacency, going around security policies still creates the same amount of risk for the organization. According to Borna’s analysis, upwards of 30 percent of those who are investigated by the FBI and internal security teams fall into this bucket. It doesn’t take a hardened “cyber-criminal” to upload a file to their personal cloud storage or accidentally leave an object storage bucket open to the internet. Don’t sleep on complacency when designing your Insider Risk program.

Things aren’t happening in a vacuum

Insider Risk isn’t (usually) something that happens overnight. Very few people start at a company with the sole-intention of taking or breaking data. There are indicators visible in users’ behavior and data practices that can allow security teams to prioritize and ascertain where likely risks exist. Maybe the user has been printing a lot of things recently, sharing or using an inordinate amount of USB devices. Conversely, perhaps the user has stopped sending as many emails as they normally do. Sometimes these are entirely mundane behaviors that are the result of the user doing their job, other times they signal an imminent risk to organizational data.

Regardless of intent, it’s important to be able to collectcorrelate, and visualize these indicators prior to the risk turning into a threat so that the security team can intervene with a right-sized response (either with a quick check-in to see if the user is ok, or other corrective action). We’ve talked about the importance of context on Code42 Live before, but in this case, it’s particularly important to remember that context is what allows the organization to identify the difference between users collaborating while doing their jobs and leaking data.