The crux of the insider threat challenge is that everyone can be a risk. That’s why most security teams are focusing on gaining broader and deeper visibility into all file activity — especially the surge in remote, off-network activity. But this doesn’t mean that security teams should discount their hard-earned experience and knowledge about where risks are most likely to be found. For example, we all know departing employees are a concentrated risk. But in a typical organization, there are several other categories of high-risk employees:
- Flight risks: Employees that have expressed job dissatisfaction, recently missed a promotion, or have documented conflicts with colleagues.
- Performance concerns: Employees with recent negative performance reviews, or that have been demoted or placed on a performance improvement plan.
- Traveling employees: Employees who are traveling for work — particularly to a region that might be considered high-risk, such as China.
- Security risks: Employees who repeatedly break security protocols (intentionally or otherwise), such as clicking on phishing links, or fail security awareness training.
- Privileged access: Employees with credentials/authorized access to intellectual property or working on high-value, high-sensitivity projects and files — such as an M&A transaction, new product development or other leading-edge innovation.
Don’t overlook senior leadership
Senior leadership will almost always fall into the “privileged access” category — and this includes CSOs and other security leaders. It’s not just that these high-ranking employees have access to high-value information — they’re often more likely to do things that put themselves at risk: Code42’s 2019 Data Exposure Report found that 65% of CEOs admitted to clicking a dangerous link — and more than 3 in 4 CSOs admitted to clicking a link they shouldn’t have.
Build a tight connection with HR and Line of Business leaders
Many of the high-risk categories above are dynamic — they change from week to week or even day to day. Security teams need to be tightly connected to HR and line of business (LOB) leaders to maintain oversight of these high-risk user groups. For example, a security lead should be part of the HR workflow when employees are put on performance improvement plans or flagged for other personnel issues. Code42 is even working on automated workflows that integrate with an HR system like ADP or Workday to make this connection seamless and automatic in the future. Likewise, it’s important for security teams to know when employees are traveling to high-risk regions. And they need to be in continuous communication with LOB leaders, so they know about business-critical projects that involve highly sensitive content and new IP.
Code42 provides a flexible lens to focus on your high-risk users
Identifying high-risk users is the first step — effectively monitoring them is a unique challenge. Code42 designed our Incydr detection and response platform to solve this challenge. Incydr lets you monitor your high-risk users without impeding their ongoing work. And it uses AI-driven alerting to give you a high-fidelity risk signal you can trust. Here’s a quick example of how Incydr could help an entertainment company target the high-risk users working on a highly anticipated TV series’ finale episode:
- Security admin adds the production team working on the final episode to the Incydr high-risk employee lens.
- Incydr detects file sharing and exfiltration across computers, cloud and email through an agent and direct cloud and email integrations.
- Security gets notified when high-risk employees move or share files to untrusted places, or when activity meets other risk indicators, such as an employee moving files during times they don’t typically work. This allows you to quickly prioritize what activity to review first.
- If risky activity requires investigation, Incydr lets you quickly access everything you need: see the user’s historical activity trends, detailed context on the files, vector and user involved, and even review the file contents in question.
In this example, the security team gets alerted that a video file was downloaded by a member of the production team. The analyst is immediately able to open up the file in question and confirm that it is a near-final version of the finale episode. The analyst can also see the exact time of the download, as well as the vector (even the brand and serial number of the external drive). Armed with that evidence, the security team can rapidly escalate the risk and respond accordingly — whether through automated SOAR action, a friendly corrective conversation with HR, or legal action.
That’s what a smart insider risk program looks like: combining the expertise of security pros with the focused capabilities of next-generation technologies.
