Eric Ewald is the Insider Risk Lead, Cyber Technology Solutions Group at Booz Allen Hamilton.
Current challenges & risks
At this point, we can all admit that Insider Risk Management and IP security programs are difficult for many organizations to operationalize. Our programs must ensure that monitoring procedures don’t infringe on the privacy rights of our employees and business partners. Further, we must also drive collaboration within the proverbial “business” to ensure protections for critical IP and trade secrets focus on what really matters. Our solutions must also simultaneously ensure that the controls we implement maximize user experience and minimize unnecessary “security friction”. Lastly, we have to add responsibility for program governance and oversight to this long list of initiatives.
If we don’t cover all of our bases before we start to operate, our programs can erode organizational trust to the point where any and all support is lost and our program ceases to operate (yikes!). That’s quite a tough pill to swallow for many companies who struggle to secure funding for cybersecurity people resources and technologies, especially considering the cyber risk and threat landscape that teams are up against in 2023:
- Emerging regulations in high-risk geographies that allow states to compel citizens to commit espionage while promoting attractive international trade terms to coopt foreign investment
- Threats of AI-enabled social engineering amidst a hostile geopolitical climate while the working world is still struggling with post-COVID operational confusion
- Maintaining 24×7 remote, wait: we’re hybrid, nope: now BACK-to-the-office – operations is pushing employees beyond burnout, to the point where they are so disengaged that they take whatever risky path of least resistance they can to get their jobs done
In the face of such harsh realities, it’s unsurprising that 76% of CISOs expect data loss from insider events to increase in the next 12 months at their organization. With this point in mind, it’s critical that we work together to define a rubric for Insider Risk and IP security program development that positions everyone for success. We need to focus on answering the age-old question: “What does [a] good [program] look like?”
The best approach
The answer to that question lies in the relationship between Governance, Protection, Detection, Response, and Recovery + continuous Improvement, our tenets of holistic Insider Risk Management and IP security:
The graphic above depicts the type of quantitative risk reduction over time that we are all trying to achieve and demonstrate to our leadership teams. But how exactly do we reduce risk? From the perspective of Insider Risk Management and IP security programs, we reduce risk by injecting valuable business context into all facets of our work. When we work with client organizations, we commonly see Insider Risk and IP security programs that start down a purely technical path, putting Detection and Response as Priority #1, often overlooking Governance entirely. When this is the case, we instruct clients to look left and focus on engaging with stakeholders to educate them on precisely what it means to have an Insider Risk or IP security program. Work with your stakeholders early and often to identify their needs and concerns.
When we work closely with our lines of business and functional teams, we inject valuable and relevant context into our programs that help them maintain relevance. The graphic above demonstrates that as we work with the business and inject valuable context into our program, the fidelity of that work will also increase. The cumulative impact of increasing context and fidelity reduces the inherent level of effort required to do the work at hand. When we keep program resourcing at the forefront, the reduction in effort helps us get through more and more work incrementally (e.g., more alerts, incidents, issues, initiatives, etc.), which will help us reduce organizational risk over time.
Where Code42 Incydr fits in
Technologies like Code42 Incydr are purpose-built to provide unified visibility to risky data movement. Importantly, Incydr doesn’t get in the way of this data movement unless it is absolutely necessary, instead passively monitoring file movements, flagging suspicious exfiltration, and blocking behaviors based on context. For example, our own data shows that departing employees are likely to exfiltrate data before they even give notice. This means that if teams delay monitoring until after a user has given notice, it’s probably too late.
Monitoring is just part of the risk reduction story. Code42 Instructor also allows security teams to send real-time training to users when they do put data at risk, redirecting them to the sanctioned and approved tools that your organization uses to share information securely. Weaving this educational component into everyday work life helps reinforce security learnings otherwise brushed aside due to burnout, or assist genuinely clueless employees in making security-aware decisions, reducing risk across the board for your organization.
Once stakeholders are identified and assembled, Insider Risk or IP security teams can review the data provided by Incydr and identify what users, departments, or data pose the most risk to the organization, through either deliberate or accidental mishandling. The appropriate response can then be determined: training, investigations, updates to Acceptable Use or Conflict of Interest policies, and so on. Through continuous monitoring of your organization’s risk trends, new exfiltration vectors or tools users are leveraging for shadow IT can be easily identified and then remediated.
As teams learn the right and wrong ways to collaborate, the overall risk to the organization decreases. This traction is bolstered by the creation of a positive security culture; Because Incydr doesn’t take a heavy-handed approach, like excessively blocking or slowing down endpoints, your security team will maintain trust with users and your Insider Risk program will be seen as enabling business, not hindering it.
Booz Allen Hamilton’s partnership with Code42
This is precisely why we’ve partnered with Code42. Their approach to mitigating data loss from insiders prioritizes visibility to data movement, addressing gaps that legacy DLP solutions often leave open. Whether you’re concerned about Git pushes from Ubuntu desktop, or want to know how your users and business partners are interacting with Salesforce, Incydr gives you the visibility, context, and control needed to stop data leakage and prevent IP theft.
From a consulting perspective, this enables some powerful value propositions where detecting file exfiltration via web browsers, USB, cloud apps, email, public or external file sharing links, and Airdrop are just the beginning. Bridging the gap between security and the business is where synergy really happens. Is your organization concerned with the rate of cloud-native file growth in your enterprise platforms? How often is your sourcing function sending sensitive information to untrusted third-party suppliers and platforms? Did your budget for a CASB solution get pulled due to global economic uncertainty? For all of these problems, Code42 Incydr and Booz Allen can help.