How to Get Buy-In for Your Insider Risk Management Program

Insider risk is a critical yet sometimes misunderstood or overlooked aspect of business risk. Many organizations lack robust Insider Risk Management (IRM) programs, relying on point products like data loss prevention (DLP), user activity monitoring (UAM), and user and entity behavior analytics (UEBA). While these tools offer some protection, in isolation, they lack the behavioral context that’s required to address the core issue: the human element. Additionally, many companies can’t quantify insider risk, or the impact of an insider incident that results in loss of IP, making it difficult to prove return on investment (ROI) for their IRM program. This in turn makes it more difficult to secure adequate budget and executive buy-in.

The truth is insider risk is often the missing piece of a well-oiled cybersecurity program. This is especially true at companies without large security budgets or regulation driving necessary programs. With so much focus on external threats, it’s not uncommon for companies to underestimate the risks from the people with authorized access. Regardless of the insider’s intention, the monetary damage can be quite high; the average cost of an insider incident is $17.4 million, and the longer it takes to contain the incident, the higher the cost. This doesn’t even account for reputational impact and the net effect on the bottom line.

Attackers have not overlooked the propensity to underestimate insider risks. In fact, they are exploiting it. External attackers are now purchasing access from insiders, blackmailing insiders, or compensating insiders to steal data on their behalf. Our DTEX i³ investigators have also had experience with nation state espionage, where the agent has tried (but failed) but steal IP.

Recent blogs and news articles have highlighted how North Korea military personnel are leveraging AI to gain employment at legitimate companies, only to quickly install malware or try to steal intellectual property. In fact, DTEX caught one such person during the interview process.

However, despite the amount of damage an insider can cause an organization, budgets to address and prevent insider risks aren’t keeping up. In fact, 45% of organizations say current IRM funding levels are inadequate, and 45% expect them to increase in 2025.

So how can security teams get executive buy-in for IRM without having to go through a costly and (sometimes) very public incident? It starts with executive education and a thorough understanding of business risk from the security team.

Building a Business Case for Insider Risk Management

Insider risk doesn’t generate the same type of buzz as a ransomware cybercrime ring or a nation-state actor trying to infiltrate critical infrastructure, outside of certain government circles. Yet when insider activity does make the headlines, it is usually a shocking betrayal of trust that casts a negative shadow over the entire organization.

Cyber incidents already bring reputational damage to organizations; but an insider-caused event can cause even more reputational damage due to the loss of trust about the victim organizations’ own employees.

Senior management may also lack awareness about what constitutes insider risk and how damaging it can be. It can be difficult to quantify the risk from an insider incident or even to quantify the value of lost data. Some organizations have built programs where they quantify the value of critical data and are able to justify the existence of their IRM program through the amount they save their organization every time an insider is caught trying to steal data or take data when they leave the organization. Additionally, it’s difficult to properly monitor what employees are doing with their credentials and their access to systems, and organizations want (and need) to trust their employees.

A comprehensive IRM program is about allowing organizations to trust their employees while having enough monitoring in place to detect and deter when an employee (intentionally or unintentionally) betrays that trust.

Why Business Leaders Should Prioritize Insider Risk Management

CISOs allocate budgets based on what their perceived biggest security risk areas are. For example, a Deloitte study found that in the financial industry, digital transformation is driving cybersecurity spending, followed by regulatory compliance concerns. Overall, much of the CISO’s budget goes to staffing or into IT costs. But if you search for information on the top areas of cybersecurity spending, you’ll find ransomware and phishing, threat detection and endpoint security. What you don’t find on many of those lists is IRM or insider threat protection.

Cyber incidents caused by insider risks, whether intentional or unintentional, could result in millions of dollars in lost revenue, fines, and other fees. The DTEX and Ponemon study found that it takes, on average, 81 days to contain an insider incident. Incidents contained in 91 or more days cost on average $18.7M. Those contained under 31 days cost $10.6M. 

Business executives understand that all insiders, intentionally or not, pose risk to their organization and it’s the security team’s job to implement a program to prevent risks from turning into threats or incidents. Insider risk can stem from poor cybersecurity awareness training, lack of awareness of company policies, or lack of understanding the value of company IP. It could also stem from a serious life event, like a family member’s cancer diagnosis or a partner’s lost income. Both scenarios have the potential to turn a benign insider into an insider threat. Sometimes, the insider unintentionally becomes a threat. In other cases, the insider may accept money from an external threat actor in exchange for insider information or credentials.

Insider risk can also have a trickle-down effect. For example, a former employee of an IT vendor continued to have access after termination. The former employee took revenge by accessing the medical records of more than a million patients of a medical company that used the IT vendor for technology services. The failure to protect from insider risks and threats in one company is now leading to significant financial and reputational damage to a third party.

Regardless of how insider risk manifests, the truth is that insider risk touches all cybersecurity and business risks. It is a complex human-centric challenge that requires the right funds and attention to drive positive change and proactive protection. This is especially so with the advent of AI and background geopolitical tensions adding more capability and incentive to target and exploit insiders.

Investing in a comprehensive IRM program that cuts across people, processes, and technology won’t only enable proactive security and data protection, but it will set the foundation for the business to secure its reputation, mission-critical operations, and bottom line.

How to Justify Insider Risk Program Investment

Educating senior leadership about the business, financial, and security risks associated with insiders is crucial before seeking additional budget. Senior leadership needs to understand the risk insider threats pose to their organization compared to all the other business risks they are faced with daily.

Organizations need to ensure they are not overspending on any aspect of their security program, and that new technologies they spend money on deliver better value and a lower total cost of ownership (TCO) than what currently implemented. One clear way to highlight the risk from insider threats is to use recent headline examples from your industry.

The sample list below clearly demonstrates the risk from insiders, and why having a robust IRM program is important:

• Malicious actors are spoofing real URLs and email addresses from legitimate companies to launch phishing attacks, designed to exploit user behaviors.
• When a company has thousands of endpoints, it increases the opportunity for insider risk through compromised, shared, stolen or lost devices.
• An employee’s use of a thumb drive ends up infecting devices across multiple retail locations.
• An accidental misconfiguration in code by an employee leads to exposed sensitive data.
• The leak of classified Pentagon documents through a popular messaging platform.
• Two former Tesla employees leaked more than 75,000 individuals’ personal information to a foreign media outlet
• Google engineer steals AI trade secrets for Chinese companies.

Four Steps for Securing Executive Buy-In for Insider Risk Management

Asking for more budget is never easy, so it’s imperative to show the business value and long-term cost prevention or ROI. Long-term cost prevention manifests through not paying to investigate a breach, preventing a breach in the first place, preventing IP from being taken by exiting employees, and through tool consolidation and capabilities aggregation. The cheaper solution is often the least impactful and will return the lowest amount of long-term cost prevention.

When making the case for additional budget for your IRM program, there are some clear steps to take. The following list summarizes those steps:

• Present the budget ask as a business enabling expense rather than an additional security expense. Even though the budget will likely be assigned to the CISO, IRM is a business risk just as much as it is a security risk.
• Discuss insider risk and its relationship to regulatory compliance in your industry. Insider risk management programs should be part of the organization’s risk and governance programs.
• Prepare a realistic IRM program budget, complete with the necessary tools, training, and headcount. It’s important not to underfund the program such that you need to request additional budget after the first ask. It’s also important to understand your organization’s risk tolerance, data sensitivity, systems architecture, infrastructure, etc., ensuring the program is comprehensive and tailored for your environment.
• Develop a quantifiable method for tracking the ROI of the IRM program. Quantifiable ROI always helps justify additional spend because senior leadership can quickly understand the value for their money. Showing the numbers of cost versus business outcomes is necessary. Some ways to quantify the ROI from the spend are by assigning a value to specific IP (research funding, sales, etc.) to determine how much it would cost if the data was taken.

The threat landscape is rapidly shifting, with attackers now frequently leveraging insiders to access sensitive information. As a result, the distinction between external and internal threats is becoming increasingly blurred, making it harder to identify and mitigate risks. Insider risk management presents a powerful opportunity to significantly and proactively reduce the risk from insider and external threats while simultaneously ensuring a trusted and protected workforce. Understanding the risk from insiders and how insiders contribute to the risk profile of an organization will help to properly justify budget for a comprehensive IRM program. Many of our customers have chosen to make IRM a board and c-level issue and have worked with us to build world class IRM programs. We’re here to help.