In some of our previous blogs, we delved deeper into the importance of compliance and the initial steps towards a data security strategy. In this blog, we focus on the threats lurking within your own office walls. Of all cyberattacks globally, about 90% can be traced back to a deliberate or inadvertent error by an employee. Wesley Venstermans, Squad Lead Audit & Compliance at SecWise, delves deeper below into the dangers of insider risk for your organization. 

In the past two years, the number of insider incidents rose by 44%, largely due to the digitization of our workplaces. An insider incident encompasses any cybersecurity incident intentionally or unintentionally caused by an employee of your own organization. But to better understand insider risk, it’s useful first to look at the types of cybercrime, which can be roughly categorized into four major categories: 

• Nation States: These are countries hacking other nations to obtain information that can boost their power on the world stage. We often think of Russia or North Korea, but even EU countries can monitor one another or other global leaders. Several examples have appeared in the media over the past years. 
• Criminal Enterprises: Today, one can find organizations on the dark web that have turned hacking into a business model. From custom-built viruses to ransomware-as-a-service. Anyone can hire these companies, often in exchange for cryptocurrency. These organizations resemble regular service businesses and, besides a (dark) webshop, often even have their dedicated helpdesk with SLAs and money-back guarantees. 
• Hacktivists: This group operates based on their ideology, aiming to humiliate their targets or tarnish their reputation. Their actions are often politically driven. One famous incident involved pro-Ukrainian activists hijacking a Russian news broadcast to display Russian war crimes. 
• Insiders: The threat from this group comes from within your own organization and can be traced back to a deliberate or inadvertent action of one of your employees. We identify three types of insiders. Unintentional insiders are employees who, through negligence or inattention, make errors, like clicking a phishing email link or an admin making a configuration error. Malicious insiders are employees intentionally wanting to harm your organization. They might harbor resentment against their employer or see an opportunity for personal financial gain. Inside agents are a particular type of malicious insider who collaborate with entities from the categories mentioned above, potentially causing deliberate reputation damage in collaboration with hacktivists. 

Insider Risk Management 

But what causes this significant spike in insider incidents, and what can businesses do about it? The rise in incidents can largely be attributed to the advent of hybrid working. Previously, your data only needed protection within your office walls, but now the perimeter has expanded. Employees work from home, on trains, or in coffee shops, which also means there’s less peer oversight of one’s behavior. 

Many problems can be easily prevented with better user training, making them aware of potential cyber threats and their responsibilities towards the organization, and the potential consequences of neglect. Moreover, through insider risk management, a large part of the issues can be detected and averted early. At SecWise, we utilize technology that integrates the ‘Information Protection’ narrative and ‘Data Loss Prevention’, namely Microsoft Purview Insider Risk Management. 

Under Information Protection, we classify data and label data or documents according to their sensitivity. The next phase focuses on data loss prevention. For all actions related to your data (sharing data via email, in Teams meetings, through cloud applications, etc.), triggers are set up. Unusual data usage activates these triggers, automatically generating alerts in the Purview Compliance Center and also blocking certain actions automatically. Lastly, Insider Risk Management also considers factors such as human behavior, leading to an adaptive rather than static approach. 

Microsoft Purview Insider Risk Management correlates different signals to identify potential malicious or inadvertent insider risks, such as intellectual property theft, data breaches, and violations of security policies. Built on the principle of privacy by design, users are pseudonymized by default, and there are role-based access controls and audit logs to ensure user-level privacy. 

Adaptive policies adjust an employee’s risk score based on their behavior and how they handle sensitive data. For instance, if someone who never accessed your CRM files or financial data starts doing so daily, that indicates abnormal behavior. 

Setting Your Triggers 

You can also set triggers for specific events. For example, as soon as someone resigns, a signal from the linked HR system can assign that user a higher risk score. If that employee suddenly starts downloading a lot of data or tries to send it via email, your insider risk management will automatically halt them and notify the pre-defined responsible parties. This could be the IT or Security office, or even the HR department or legal team. 

As previously mentioned, personal data within insider risk management is pseudonymized. Only in cases of criminal offenses or suspicion thereof can someone from your legal department access the full data logs, potentially leading to legal action. In all situations, the legal department is always in the driver’s seat; neither the IT department nor the Security Office decide to lift the pseudonymization or initiate a case. 

The process of Compliance, Information Protection, Data Loss Prevention, and now also Insider Risk Management might seem tailored for larger corporations. However, any organization dealing with sensitive data, such as governments, banks, law firms, and hospitals, can benefit significantly from this technology. If you’re interested in this technology and want to see how we can assist you at SecWise, please contact your SecWise sales representative or via the form here. 

To initiate your own data security journey, reach out to sales manager quickly, or fill in the contact form.