Microsoft: IT Departments are in Insider Risk Crosshairs

As the amount of data being captured, copied and consumed in enterprises grows exponentially, organizations have had their hands full securing it from external attackers. However, organizations must also protect that data from insiders and preventing that data from leaving the organization and falling into the wrong hands.

IT and security professionals are most often tasked with managing data and investigating data breaches, but they are also the most associated with being at risk, according to a new Microsoft report on insider risk.

To help organizations navigate that threat of insider risk, Microsoft has published its first report specifically to address those challenges that lays out several new insights about how organizations can switch from a fragmented approach to insider risk management to a holistic one.

The guide, “Building a Holistic Insider Risk Management program,” addresses potential risks from multiple areas as part of a greater data protection strategy. Microsoft’s Corporate Vice President and Chief Information Security Officer Bret Arsenault says the company itself transitioned from a fragmented approach to a more holistic and comprehensive strategy that included getting more buy-in from leadership and making sure user privacy is built in from the start.

“Following our own transition, Microsoft wanted to better understand how organizations are approaching insider risk management, specifically how some of these security and compliance teams were thinking about insider risk management holistically,” Arsenault says in a blog post.

The insider risk landscape is growing

The report lays out new insights about how to achieve a holistic insider risk management approach, including how holistic organizations think privacy controls should be used in the early stages of investigations. According to Microsoft, 92% of holistic organizations say training and education are vital to proactively address and reduce insider risks, while just 50% of fragmented organizations feel the same way.

The growing prevalence of distributed work environments is leading to growing concern about insider risk incidents, with organizations leaning heavily on technology and data proliferation to make those work models effective and keep employees productive.

Across all industries, Microsoft’s report identified about 12 insider risk events each year at any given company. When combined with malicious events, that makes an average of 20 incidents. About one-third of organizations reported an increase in their insider risk event occurrence in the past year, but 40% expect these incidents to continue to grow.

IT’s outsized impact on insider risk

According to the report, IT teams are the most associated with being at risk for abusing or leaking data despite the fact that they are typically in charge of detecting and remediating insider risk. IT was far and away the most identified with 60% seeing IT as highly at risk. Second was finance and accounting at just 48%.

The report identifies finding reliable and trustworthy employees to carry out insider risk detection and remediation as a critical step to running a successful insider risk program.

“This makes it all the more important to ensure that the security and IT teams investigating insider risks have strong auditing and approval controls in place, to make sure that their actions are in the best interest of the organization,” the report says.

The impacts of insider events

Organizations ranked theft or loss of customer data as the highest impact of insider risk events, followed by brand or reputation damage, theft or loss of employee personal data, theft of loss of mission critical data or intellectual property, legal and regulatory impact, lost confidence among key stakeholders, remediation costs, and downtime.

The study—which solicited input from organizations of all sizes—found that the cost of a single data breach from an insider event can be devastating. Nearly 40% of respondents said the average cost was more than $500,000 for a single event. With an average of 20 events per year, that can be a financial impact of $10 million for the average company.

However, Microsoft says those costs are likely on the lower end of the spectrum, citing one case in which a chemist working for the Coca-Cola Company and Eastman Chemical Company was convicted of stealing trade secrets, corporate espionage and wire fraud, with a financial impact of nearly $120 million.

Aside from financial considerations, insider risk events can destroy employee relations, with organizations concerned about violating employee privacy rights and losing employer trust.

Learn more about Microsoft’s holistic approach to insider risk management here.