When we think about data protection and cybersecurity, organisations traditionally have not considered the security culture of the organisation and the inherent insider risk. Instead, the focus is often aimed at external adversaries. However, insiders often have access to the most sensitive information. These risks can be inadvertent or malicious. Regardless of that, the requirement to have visibility and mitigate the risk as soon as possible has never been higher.
According to the 2020 Ponemon study, The Cost of Insider Threats, the average cost of an insider risk has increased 31 percent since 2018 to about £8.2m per incident. Due to the rise of hybrid working, leaders and IT teams must have visibility over insider risks. Also, employees need to be educated and become security champions to reduce the risk of insider threats.
Two years ago, a team of Microsoft engineers asked Microsoft’s CISO: “What keeps you up at night?” To the surprise of many, the response was not the ever-growing sophistication of external threats. Instead, it was insider threats. Fast forward to March 2021 and Microsoft now has a comprehensive and fully functional UEBA solution. Insider Risk Management helps leaders identify insider risks and mitigate accordingly in Microsoft 365. In addition, it’s important that leaders foster a security culture that empowers employees with the knowledge and the tools to stay secure, no matter where they are.
What is an insider risk?
Firstly, let’s discuss what an insider risk is. It can come in many forms; the scale is vastly widespread. Common insider threats can be:
- Accidental/malicious data leaks
- Workplace harassment
- IP theft
- Falling victim to fraud
- Insider trading
- Policy violations
- Regulatory violations
Insider risk can surface as anything from a download and accidental public share of sensitive information from a new employee, to a malicious actor who has taken a bribe from an external adversary to install malware into the corporate network. Moreover, insider risk is more common than everyone thinks. In a 2020 study, Insider Threat Statistics: The seriousness of insider threats, intentional or not, 19 percent of people say they have been involved with an insider data breach.
Sometimes, insider risk can be purely from frustration. What happens if you don’t have the right tools in place to ensure employees can do the work they need to? They’re more likely to look at workarounds such as downloading unchecked third-party software. Here’s an interesting early observation for malicious cases of insider risk. More often than not, each case starts with a large increase of profanity used across Microsoft 365. This would indicate that organisations could identify a disgruntled employee and address their needs before there is a wider issue.
These incidents can be addressed with training and/or automated direction to an organisation’s policy page. However, without real-time insight, it’s hard for any leader to ascertain the activity levels associated to insider risk and subsequently how to mitigate them.
1. Give employees the right tools to reduce insider risk
Ultimately an organisation needs to do everything they can to limit its liability. Similarly, employees need to feel they can be as productive and creative as possible to complete their daily tasks. Therefore, an important factor to reduce insider threats is to ensure your tools are working for your employees. For example, using apps that connect, such as Microsoft 365 means you can implement single sign on with biometric or multi-factor authentication. That means your employees can access everything they need from anywhere, while using the tools that help them stay productive and collaborative.
Microsoft has privacy considerations built into the cloud portfolio as a key principle. Privacy settings are turned on by default for the Insider Risk Management tool. Therefore, you can individually investigate cases without bias by pseudonymising identities. This reduces the risks to the data subjects and help organisations meet data protection obligations.
2. Empower employees with knowledge and skills
To ensure a strong security culture, consider having on-demand or virtual training to equip employees with the knowledge and skills to spot insider threats, such as a phishing email, or odd behaviour. By taking a human-first approach, your security culture will be empathetic and reflective of your values and goals. And don’t forget – this approach needs to come from the top down. Leaders should take an active part in training and sharing information. They should stay transparent and honest with employees and be open to feedback.
3. Let AI and machine learning help you spot insider risk
In an increasingly digital world, it is overwhelming to figure out how to start addressing insider risk from a technical point of view. Insider Risk Management, found in the Microsoft 365 Compliance Center uses analytics to accelerate the identification of potential risks, and help you quickly take action. Machine learning helps you detect, investigate, and act on malicious and inadvertent activities. You can set policies to define the types of risks you want to identify and detect in your organisation. This makes it easier for your risk analysts to quickly take appropriate actions needed.
Insider Risk Management gives you an audit trail so you can identify potential red flags. For example, why was a particular user removed or added to a policy, or why was a high-risk alert dismissed without further action?
Build your security culture
A recent study by Microsoft shows that 93 percent of CISO’s and Data Protection Officers are concerned with insider risk. But by building a people-first security culture, and using Insider Risk Management, you will be able to ensure your users and data stays safe in a hybrid environment, while ensuring your employees stay productive and collaborative.
About the author
Dan is a Product Marketing Manager for Microsoft 365 Compliance. He focusses his time on the go-to-market strategy for the UK. He is passionate about driving cybersecurity and compliance awareness across both commercial and public sector organisations, so they can improve their cyber posture and reduce their risk.