By numerous measures, the insider risk management market has exploded in prominence and importance over the past three years. From the pandemic-induced work-from-anywhere movement, to the Great Resignation and now the prospect for increased layoffs, the risk from malicious insiders is more top-of-mind for security professionals and the C-suite than ever before. It’s also given rise to the “super malicious insider”, which accounted for 32% of malicious insider incidents last year.
Another measure comes from Gartner, who published its “Market Guide for Insider Risk Management Solutions” in late April. The paper conveys how its analysts have seen a notable increase in inquiries from its enterprise clients on how to implement a comprehensive insider risk management program. It states that the time is now for organizations to develop a formal insider risk program and implement technology for monitoring for behavioral indicators of malicious insider activity.
In this blog post, we share our takeaways from the report and how DTEX InTERCEPT aligns with most of its findings and recommendations.
Takeaway #1: There’s a huge difference between “monitoring” and “surveillance”
Gartner recommends that organizations implement tools for “monitoring for indicators of non-permitted activities.” Throughout the report, Gartner consistently uses the word “monitoring” vs. “surveillance.” This is an important distinction.
When it comes to insider risk management and monitoring employees, many employers are faced with issues around privacy and compliance, not to mention suspicion from those being monitored. Organizations must understand the difference between Insider Risk Management and Insider Threat Surveillance to gain intelligence from their workforce.
Any kind of employee monitoring needs to involve collaboration with HR and legal departments (more on this below), who will be concerned about privacy and ethics policy compliance. As a result, monitoring technology must include pseudonymization capabilities based on metadata collection to gain the proper intelligence about insider risks.
For a deeper dive, download our e-book “Insider Risk Management vs. Insider Threat Surveillance.”
Takeaway #2: Core capabilities illustrate the convergence of UEBA, insider threat management and DLP
Gartner outlines eight core capabilities for insider risk management, including dashboarding, behavioral-based monitoring (there’s that word again!), data-centric misuse, network-interception and active data exfiltration blocking.
DTEX InTERCEPT offers all the core capabilities with strengths over our competitors particularly for each of the ones mentioned above. It also illustrates the need for a single platform that offers 100% integration of UEBA, insider threat management and DLP capabilities.
Takeaway #3: Security & risk teams must be aligned with HR and legal
Gartner advises enterprises that for insider risk management to be effective, security and risk teams must work closely with other stakeholders, especially HR and legal departments. We couldn’t agree more, and this implicitly requires that monitoring is on equal footing as employee privacy, i.e. monitoring vs. surveillance.
Insider Risk Management solutions like DTEX InTERCEPT take a very different approach to privacy. DTEX InTERCEPT pseudonymizes PII and collects only application metadata to build a forensic audit trail in a privacy compliant manner. User identities are exposed only when justified by the threat and must be approved by multiple legal and cyber security executives before information is examined by digital forensic analysts.
This enables the cross-functional alignment that is so important and allows for compliance with corporate codes of conduct.
Takeaway #4: Insider risk is not limited to data exfiltration
At DTEX, we believe there too much attention and focus on data exfiltration and not enough on data exfiltration. This is when employees joining companies bring intellectual property taken from their former employer to their new jobs. We covered this extensively in our 2022 Insider Risk Report.
As we stated in the report, insider threats are most often financially motivated and are a mix of those who want to personally profit from the sale of sensitive corporate information and IP on the black market—to take that data with them to their next employer to quickly ‘add value’.
The key to stopping a malicious insider is first to identify those who intentionally seek to cause harm. From understanding the underlying behavioral indicators that increase insider risk (including the differences in the way malicious and non-malicious users search, aggregate, manipulate and transfer data), it becomes possible to detect and disrupt an insider threat before any irreparable harm is actually caused.
We invite you to download the 2022 Gartner Market Guide for Insider Risk Management Solutions to learn more.