Aviv Nahum is the CEO and cofounder of Above Security.

Insider risk has existed for as long as people have worked inside organizations. Each employee you add to the org chart expands your risk. Their actions, whether intentional or unintentional, can lead to sensitive information or devices getting into the wrong hands.​

In a big enterprise, you can’t possibly know all 50,000 or 100,000 employees. Even if they all have the right motives and intentions, they are people who make mistakes. They are also under tremendous pressure to get their jobs done faster. The majority of U.S. adults (53%) are worried that AI could cause them, or someone in their household, to lose a job, according to a recent Reuters/Ipsos poll. ​

There are too many shiny new tools—AI transcribers, video call platforms, coding assistants—that promise to wrangle the too-long to-do list. One employee who adopts a tool without fully understanding it can expose their organization to serious consequences. ​

The cybersecurity industry has tried and failed to solve this problem for years using two key frameworks.​

With data loss prevention (DLP), security teams have to manually configure hundreds or thousands of static policies. If an employee tries to upload more than 5 MB to a shared file drive, they should get blocked (but 4.9 MB is just fine). If an employee tries to download a sales PDF that contains PII, the system should issue an alert. But roles, deadlines, projects and tools are constantly changing, and a manual system can’t scale fast enough. ​

With user and entity behavior analytics (UEBA), on the other hand, security teams aim to apply mathematical equations to human behavior. Their approach uses a combination of machine learning and behavioral analytics to trigger alerts when the system detects anomalies. If an employee who normally works 9 to 5 logs in at 2 a.m., the system should flag it. UEBA is designed to spot unusual and potentially dangerous behavior, but it is notoriously imprecise. It often floods security teams with thousands of false positives that offer no context into why an action was marked.

Reasoning At Scale

I’ve seen DLP and UEBA approaches consistently fall short for organizations in both the public and private sectors. Programs historically treat insider risk as a detection problem, bolted onto the security operations center (SOC), not a true cross-functional challenge that affects security, HR, legal and employee management. ​

Now, for the first time in history, we have access to the right technology to tackle this problem. AI can apply reasoning to human behavior at scale, and it is available to all organizations, regardless of size or sector. ​

Last year, I cofounded a company that offers managed insider risk protection services for enterprise and financial services clients. We use AI agents to gather telemetry from multiple sources and provide context around insider risk threats. We have no set policies by design, which is a huge mindset shift for anyone who has worked in this space. In the beginning, even our sales engineers had a hard time wrapping their heads around the idea of a risk approach without policies.​

Since change is so rapid and significant, my team and I are constantly reframing insider risk for clients to fit the current context: Here’s where we are today, and here’s where we are headed in the next few years. These are the key takeaways about insider risk that I think are most important for leaders to understand.​

Concentrate on low-hanging fruit.​

You need to know what you are defending against before you can develop a plan to defeat it. ​

Organizations often lump together distinct insider risk threat types. Malicious insiders stealing IP or committing fraud or sabotage. External bad actors stealing employee credentials and using compromised accounts. Or, by far the most common in my experience, making up around 95% of insider risk cases, non-malicious insiders exposing the company to risk through negligence or inadvertent human error. ​

You can’t watch everyone equally. Concentrate on the low-hanging fruit: people who are in the greatest danger of harming your organization. Proactively monitor employees who have access to IP, CRM or other high-value corporate data. ​

I’ve found that the departing employee window, the time between someone’s decision to leave and their last day, is the riskiest period. Some of the warning signs often precede the resignation announcement: an employee talking to recruiters, browsing or sending job applications, taking time off or booking hotels, accepting an offer letter. ​

My team flagged one client’s employee as high-risk before he told anyone he was resigning. He had accepted an offer letter from a direct competitor and, no surprise, he ended up walking out with his former employer’s entire account list. ​

Make insider risk a cross-functional problem. ​

Treat insider risk as a challenge that cross-functional teams, not just the SOC, need to solve. You need to understand access, ownership and risk in advance. Who is allowed to look at what? Who manages the program? What triggers a human to review someone’s activity? What does an escalation path look like? ​

Expect confusion and conflict between departments at this stage. What often happens is that ownership is ambiguous between security, HR and legal teams, and everyone assumes someone else is in charge. ​

Name one clear owner who is in charge of the budget and mandate. In my work, I’ve seen that projects are most successful when security leads the charge. Make the CISO the clear leader of insider risk. ​

Don’t overlook synthetic users. ​

Companies are deploying massive teams of AI agents that act like employees in every sense of the word. They have the same access, or even more, than human employees, but they aren’t being monitored as closely. ​

These “synthetic insiders” are part of the new workforce, and static policies will likely fall short in the same ways they did for humans in the past. Focus on developing a framework that can apply reason to users’ behavior and intent rather than listing out thousands of allowed actions in advance. AI agents and the permissions they need are changing faster than any rules can keep up, just as we saw with DLP. ​

Ask clear questions about agents: Who is this entity? What is its normal behavior? If that has changed, why?​

With insider risk, the call is coming from inside the house. Insiders, whether human or AI, are already authenticated and trusted, but that doesn’t mean we are helpless to fight the problem.

We finally have the knowledge and technology to understand the context and intent of insider risk. And we can build flexible strategies that will continue to combat threats as they evolve.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Share.
Leave A Reply

Exit mobile version