Face it, insider threats happen. And odds are you are suffering a data loss, leak or theft even as you read this article. That’s a scary thought.

Unfortunately, insider threats are so common that organizations deal every day with data loss events when employees quit, mergers and acquisitions (M&As) are executed, realignments or reductions in force occur, and users work on highly sensitive projects. For many organizations, insider threats are an unsolved problem.

In spite of companies experimenting with traditional data loss prevention (DLP) solutions to stem data loss, DLP simply wasn’t designed to manage insider threats. Its original objective was to prevent the exfiltration of regulated data to meet compliance requirements. Traditional DLP just doesn’t deliver a comprehensive solution for insider threats.

There is hope, though, in a new approach to solving the insider threat problem. It begins with a focus on the data. This is critical because the dynamics of corporate culture have changed over time. Today’s end users choose to work from their preferred location, collaborate with peers and work on their own devices. As a result, data lives everywhere.

Three Key Capabilities for Next-Gen Data Loss Prevention Solutions

In this new paradigm, insider threat solutions must be focused on all of the data to provide valuable insights that are ultimately required for faster insider threat detection and response. This has now given birth to a new breed of next-generation data loss prevention solutions.

Let’s dive deeper into three capabilities that next-gen data loss prevention solutions need to adequately protect against insider threats.

1. Comprehensive Visibility

Data has evolved beyond the traditional computer and increasingly resides in cloud storage services like Google Drive, Microsoft OneDrive and Box. Unless technology solutions provide visibility to all data movements from endpoints to the cloud and offer accompanying alerts in real time, security teams will be flying blind to where all their data is and when and how it’s leaving or being exfiltrated from their organization.

Today’s data is increasingly portable — it has to be. The modern worker must be able to share and collaborate files constantly with zero interruptions. All of this, of course, relies on the cloud. This means footprints of file transactions are all over the place and need to be monitored to protect the organization’s intellectual property.

2. Historical Context

Incident response mechanisms have a tendency to treat insider threats as point-in-time events that generally start on the day an alert is triggered. For example, when an employee quits and turns in their two-week notice, a security alert is triggered a week into this notice. While helpful, this does not add the necessary context about the employee’s actions before the resignation was actually submitted.

Organizations must account for user activity trends up to 90 days before employees signal their intent to leave. It is critical for data loss prevention solutions to keep files for as long as needed to not only protect data, but also support HR, legal and compliance needs.

Incident response relies on investigations and piecing together insights from security analytics tools. Without proper historical context, the data needed for investigations is woefully incomplete and could yield inaccurate conclusions.

3. File Recovery

The ability to retrieve files in seconds for content analysis and recovery is a key supporting act for incident response. Security and IT teams also rely on this capability to quickly bounce back from malicious or accidental data loss scenarios. They can rest assured that their intellectual property is secure.

Solving the Persistent Problem of Insider Threats

When data loss prevention solutions include these three capabilities, security teams can better manage their greatest insider threat challenges. These capabilities will yield truer data and help eliminate false positives, which are a huge waste of security’s time.

Today, insider threats represent an unsolved business problem. As more people job-hop, more data is at risk. The time is now for organizations to rethink their approach to data loss prevention.

Learn more about the IBM Security SOAR

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…