Insider risk detection and response: a deep dive

To meet the demands of massive cloud migration and digital transformation, businesses across every industry increasingly rely on the data they store, process, and manage. As a result, the risk of a data breach today is greater than ever before.

While external threats get all the publicity, the reality is that employees pose a significant risk to data security. From using weak passwords to falling for phishing scams to a lack of overall security awareness, employees can inadvertently or intentionally put sensitive data at risk.

With the right combination of technology and corporate policies, weak passwords and falling for phishing emails can be addressed. However, improving employee awareness about the importance of data security is a monumental — and almost impossible — task, where all the training in the world may not suffice.

Employees are busy, and productivity in today’s fast-paced business environment is crucial. Unfortunately, productivity also comes at the expense of security. Employees may not fully understand the value of the data they work with and, therefore, take the necessary precautions to protect it.

Let’s take a deep dive into insider threats and explore how companies can mitigate the risk.

What are insider threats?

Insider threats originate from anyone with authorized access to an organization’s resources, which puts them in a position to exploit vulnerabilities from within. Insider access is typically from current employees, who are integral to daily operations and have direct access to company resources. However, factors like dissatisfaction, personal issues, or external influences can sometimes drive them to compromise security. Former employees, though no longer active members of the organization, also pose a risk if they retain access or hold onto unresolved grievances.

It’s important to note that contractors and business partners, whose temporary or project-based association means they may lack the same level of commitment, can present a security concern.

Insider threats themselves can be classified broadly into two types: unintentional and intentional. Unintentional threats aren’t driven by malicious intent — simple acts like accidentally sharing confidential data or unknowingly introducing malicious software into the network are prime examples. Intentional threats are far more sinister, involving deliberate attempts to harm, steal, or disrupt. Malicious intent may result in data theft or deliberate sabotage of organizational operations.

Key insider threats

While the risk of getting hacked or attacked has undoubtedly increased, the potential risk to sensitive data is much greater from within. Employees with access to sensitive data may intentionally or unintentionally misuse it, leading to data breaches or other security incidents.

While employees may not intentionally put data security at risk, their actions can have serious consequences.

Here are a few of the root causes of insider risk from employees.

Awareness

As mentioned above, one of the most common causes of insider risk is the lack of proper training and education on data security best practices.

BYOD

Especially with the popularity of remote and hybrid work, employees are increasingly using personal devices or cloud-based services for work-related tasks, which can boost the risk of data breaches.

Shadow IT

With Shadow IT, employees use unauthorized software or services for work-related tasks without the knowledge or approval of their IT department. This can lead to data security risks as these unapproved tools may not have the necessary security measures in place to protect sensitive data.

Social engineering

Employees may fall victim to social engineering tactics, such as phishing emails or social media scams, which can trick them into sharing sensitive information or downloading malware onto their devices. These tactics can be highly effective as they often appear to be legitimate and can exploit human vulnerabilities.

Risky sharing

Sensitive data is everywhere: cloud, on-premises, email messages, Slack channels, personal devices and more. Often, that data is unstructured. Employees may share data with their personal emails, storing it on a network resource with overly permissive access, or sending it to unauthorized third parties.

Risky sharing: the insider risk you need to know about

Our team at Concentric AI publishes a Data Risk report twice a year based on our comprehensive findings. Using advanced AI capabilities, Concentric processed over 500 million unstructured data records from companies in the technology, financial, energy and healthcare sectors. This report underscores the risk to unstructured data in the real world by categorizing the data, evaluating business criticality, and accurately assessing risk.

Our most recent report analyzed over 550 million data records and found that 16% of an organization’s business-critical data is overshared. That adds up to a lot of data: on average, organizations have 802 thousand files at risk due to oversharing.

Other notable statistics include:

• 83% of the at-risk files were overshared with users or groups within the company (flat from prior quarter)
• 17% were overshared with external 3rd parties
• 90% of business‐critical documents are shared outside the C‐suite
• 87K business-critical files were erroneously classified and accessible by employees who should not have access to it
• On average, each employee is responsible for 2506 business critical documents

Some all-too-common risky sharing use cases

There are numerous ways in which employees can put sensitive data at risk. Here are just a few use cases that are far too common:

Sharing with external users

Employees may or may not realize that the document or data they share with a third party is considered sensitive or confidential.

Sharing with internal users

Just because the person or people the employee is sharing the data with works for the company doesn’t mean that data should be accessible to everyone in the business.

Misclassified confidential files

While an organization may have a data classification system in place, many data classification methods need to be more accurate, and data may not be appropriately classified. For example, other security solutions routinely use document metadata, such as the “confidential” tag, to enforce policy. If it isn’t classified correctly, the risk increases substantially.

Storing in the wrong location

In the name of productivity, employees will often store data or documents in a common folder accessible to many or all employees. Overly permissive access to sensitive data is a massive security risk that’s easily preventable.

Sharing with personal email accounts

In another attempt to enhance productivity, employees will share confidential data with their personal email accounts so they can work from home.

Detecting insider risk

Let’s be frank, detecting insider risk is challenging and can be costly for all company types and industries. It’s a dual-edged sword – while small companies may lack the resources, large companies have so many employees their risk is much greater.

Two key ways to address insider threat detection are taking a human resource approach and leveraging technology. A mix of both is best.

From the technical behavior perspective, companies can look out for unauthorized system access, unusual data transfers, or systematic attempts to bypass security. From a psychological behavior perspective, red flags can include drastic changes in employee behavior, expressed dissatisfaction with the company, or reactions to personal crises.

On the technology solution side, leveraging User and Entity Behavior Analytics (UEBA) can help establish a ‘normal’ baseline of user behavior. UEBA flags any deviations, indicating potential malicious activity.

Companies can also deploy Data Loss Prevention (DLP) tools to ensure sensitive data isn’t moved outside the organization, either intentionally or accidentally.

Auditing is crucial: regularly checking user activities can uncover suspicious behavior, especially if they access data not required for their job roles.

Insider risk management and response

When it comes to reducing insider risk surrounding sensitive data, all the security policies, security awareness training, and numerous data protection solutions can only go so far. Today, organizations require a modern, AI-based solution that focuses specifically on preventing employees from putting sensitive data at risk — sometimes before they can even act.

To best manage risk, sensitive data needs to be identified, classified and remediated if at risk.

Today’s best-of-breed data security solutions leverage sophisticated natural language processing capabilities (a type of deep learning) to accurately and autonomously categorize data into categories that include privacy-sensitive data, intellectual property, financial information, legal agreements, human resources files, sales strategies, partnership plans and other business-critical information.

Once that data has been identified and classified, the solution can autonomously remediate the risk by changing entitlements, adjusting access controls, or preventing the data from being shared.

The bottom line: with so much data to manage, organizations should not expect their to be perfect stewards of data risk; it’s hard enough for security teams. The risk of data breaches and other security incidents caused by employee actions underscores the importance of a strong and comprehensive data security strategy.

By understanding the risks combined with an equal understanding of the solutions available to manage that risk, organizations are in a much better position to approach data security.