From parents of insecure teens doling out advice to weirdly shaped Christmas presents, one thing remains true: It’s what’s inside that counts. For organizations, what’s inside could possibly present a security issue. That’s where having a strong insider risk program comes into play.
Insider incidents are on the rise. According to a 2024 Gurucul report, 83% of organizations experienced at least one insider attack in the last year.
While organizations have been more proactive in establishing insider risk programs to combat these growing threats, several experts told IT Brew that there are some shortcomings in their attempts. AppOmni co-founder and CTO Brian Soby, for instance, said that people tend to forget that insider risk doesn’t just account for insiders with malicious intent, but also includes insiders who unintentionally compromise an organization’s security.
“A malicious insider is a smaller realistic threat than [a] compromised insider and organizations need to understand that it’s both of those,” Soby said.
Tech support. So, what exactly makes a good insider risk program? Nick Stephanadis, founder of insider risk management services company SpotStone, told IT Brew that it involves a strategy where technology serves as a component instead of being the main line of defense, noting that things can go awry for companies if they try to “buy their way out of the problem.”
“You can have some pretty limited technologies, but if you have a great training awareness program and a great employee engagement program, then you’re going to get much further actually in that way, in my opinion, than you would if you had some high-speed technology, but nothing else to go around with it,” he said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Troy Batterberry, CEO and co-founder of cybersecurity startup EchoMark, added that the “human element,” which includes employee training and security awareness, is a crucial part in defending against insider attacks and often can’t be replaced by technology.
“I don’t think you can do just one or the other,” Batterberry said. “I think you have to do both.”
No “IT” in team. Batterberry told us IT can no longer be the sole warden for a company’s insider risk program because of the people-centered focus required to defend against attacks.
“All the different departments need to have skin in the game to deal with these types of threats,” he said, adding that insider risk programs should be a “joint effort.”
Moment to reflect. Guarding against insider attacks is a work in progress. Soby told IT Brew that companies should ensure that their program is in good shape by conducting audits that leverage threat modeling to see if it is fit to protect an organization in the current threat landscape.
“Go back in the last year and take all the incidents…and look to see how they happened, and then say, ‘Was insider risk a part of this? Was this a malicious or compromised user? If it was, would our program have prevented it? And if so, how?’” Soby said.