Learn how your company can create applications to automate tasks and generate further efficiencies through low-code/no-code tools on November 9 at the virtual Low-Code/No-Code Summit. Register here.
When you think of insider risk, what comes to mind — fraud, IP theft, maybe even corporate espionage?
While those are all undoubtedly significant causes for concern, the reality is that the riskiest insiders in your organization don’t even know they’re doing anything wrong.
This calls for a “holistic” approach to insider risk management that doesn’t put off employees — but, rather, educates and trains them, fosters their collaboration and gains their buy-in.
This, at least, is the key message of a new Microsoft Insider Risk Report.
Join today’s leading executives at the Low-Code/No-Code Summit virtually on November 9. Register for your free pass today.
“There is no bright line between internal and external risk,” said Microsoft CISO Bret Arsenault. “As outside threats multiply, so do the risks that someone in your organization will fall prey to them.”
Risks inadvertent and malicious
Insider risk can be both inadvertent and malicious, as described in the report. It is defined as the potential for a person to use authorized access to an organization’s assets in a way that negatively affects the organization. This access can be physical or virtual, and assets can include information, processes, systems and facilities.
Inadvertent cases can include employees taking unsafe actions, being untrained or distracted, misusing resources or causing other accidental data leakage.
On the other hand, malicious insiders are intentionally seeking to cause harm in the way of fraud, IP theft, unauthorized disclosure, sabotage or corporate espionage.
The survey’s most significant findings:
- Data breaches arising from insider actions cost businesses an average of $7.5 million annually; that’s in addition to the reputational damage, IP loss, and legal expenses that 4 out of 5 security experts say insiders cost their organizations.
- Almost 40% of respondents said the average cost of a single data breach from an insider event was more than $500,000.
- The highest-rated impacts of insider risk events on organizations included theft or loss of customer data (84%) and damage to brand or reputation (82%).
- The average number of inadvertent events was roughly 12 per year.
- Malicious events totaled around eight a year.
- One-third of respondents reported that insider risk event occurrence increased in the past year, with a majority (40%) expecting events to increase going forward.
- Two-thirds highly agreed that, “Data theft or data destruction from departing employees is a form of insider risk that is becoming more commonplace.”
- Based on the level of insider risk per department, IT (ironically, most often tasked with detecting and remediating insider risk), was most identified (60%), followed by finance/accounting (48%), operations (44%) and senior leadership (40%).
Hybrid work a top culprit
Per the report, the number of businesses that are seeing increases in insider risk is far higher than those reporting declines.
A few trends contribute to this, said Arsenault. First: The rise in hybrid work. Microsoft’s 2022 Work Trend Index found that hybrid work now accounts for 38% of the workforce.
“That shift has fundamentally changed how we connect with each other,” said Arsenault. “It’s also created massive data estates spread across functions and platforms.”
All of which brings inherent risk, he said. “The same tools we use to communicate and collaborate can open doors to data theft, sensitive data leaks, harassment, and other forms of inadvertent and malicious insider risks.”
Companies across the country are at a crossroads as flexible work evolves into a standard practice for many employers, said Arsenault. “And with these digital transformations come new challenges for security and compliance teams as employees increasingly rely on collaboration tools and platforms from locations around the world,” he said.
Fragmented programs weak against sophisticated attacks
A second contributor is the increase in the size and sophistication of cyberthreats. Microsoft’s recent Digital Defense Report showed that cybercriminals overwhelmingly rely on successfully manipulating insider behavior to steal data, said Arsenault.
Thirdly is the response many organizations have to this expanded threat landscape.
“A fragmented risk management program — one that over-indexes on negative deterrents, deprioritizes organizational buy-in, and treats the employee as a potential threat instead of a trusted partner — can drive the risks it’s supposed to mitigate,” said Arsenault.
Microsoft undertook this report because it wanted to understand the costs of insider risk and how it can impact organizations, he said.
“But we also wanted to understand how to address it; what an effective response looks like,” said Arsenault. “And we found that the best risk management programs weren’t the most invasive, or focused on constraining employee behavior. They were focused on building trust, on balancing security and privacy, and on educating and empowering their workforce.”
Positive and negative deterrents
Still, many organizations cited challenges and negative consequences with insider risk programs.
Many pointed to concerns over employee privacy rights (52%), loss of employee trust (51%), and general degradation of the working environment — investigations unfairly impacting employee careers and reputations, workplaces becoming more confrontational, negative impacts on employee retention and reduction in productivity.
The report ultimately found that positive deterrents are proactive measures such as employee-morale events, more thorough onboarding, ongoing data security training and education, upward feedback and work-life balance programs.
Negative deterrents check on and constrain employee behavior. This can include broad tools and solutions that block users from engaging with, accessing or sharing content — all of which can result in a more reactive environment.
The study developed the holistic insider risk management index (HIRMI), which identified three types of organizational risk management: “fragmented,” “evolving” and “holistic.”
Fragmented organizations (or one-third self-identified in the survey) recognize the need for insider risk programs but are often misaligned on success measures. They see value in positive deterrents that reduce risk but have low current usage. They also think they understand what’s required to lower insider risk, but do not commit resources or gain company-wide buy-in, according to the survey.
By contrast, in holistic programs, privacy controls are used in the early stages of investigations. Holistic organizations get more buy-in from other departments such as legal, HR or compliance teams, per the survey. Leaders at holistic organizations also agreed that training and education are vital to proactively addressing and reducing insider risks.
Other key characteristics of holistic insider risk management include more frequent use of positive deterrents and integrated tool usage.
And, the tools deemed most useful in preventing insider risk:
- Extended detection and response (XDR)
- Network detection and response (NDR)
- Privileged access management
- User activity monitoring
- Incident threat management
- Endpoint detection and response (EDR)
- Security and information event management
- User and entity behavioral analysis
Holistic versus fragmented
The study found that 29% of organizations treated insider risk in a “holistic” way. And, more than 90% of those categorized as holistic said a key element to success is striking a balance between employee privacy and company security.
The ultimate key to establishing a holistic insider risk management program is building trust, said Arsenault. This means collaborating across functions, increasing employee training and awareness, and having strong privacy controls to ensure that employees feel respected and invested.
“It’s critical for organizations to address insider risk. But it’s just as important that they do so in the right way,” said Arsenault.
He added that, “the best risk management programs aren’t focused on constraining employee behavior. They’re focused on building trust, balancing security and privacy, and educating and empowering their workforce.”