Blog Post

Insider Risk Management in Microsoft 365

There are a wide range of insider risks that compliance professionals need to mitigate. These can span isolated issues, such as individuals acting alone to gain access to information for which they don’t have proper authorization, targeted instances of harassment or quiet quitting behaviors. Insider risks may also be more widespread and severe. For example, internal patterns of corruption within certain business groups and malicious or coordinated efforts to steal IP. Additionally, many insider threats are inadvertent, involving employees who expose sensitive information or violate regulations without intending to do so.

Regardless of the scope, scale or intention behind insider risks, compliance officers must proactively monitor and manage them. As the corporate data footprint grows to include large volumes of information, more disparate endpoints among remote employees and an ever-increasing variety of data sources across cloud file sharing, collaboration platforms and chat applications, keeping up with the insider landscape is increasingly complex and intensive. It also requires close partnership between compliance officers, who may not have a deep understanding of technical challenges, and IT professionals, for whom risk management is not always a topline priority.

Many organizations have turned to compliance tools within Microsoft 365 as a means to handling and/or automating insider risk management within their environment. Indeed, Microsoft 365 and other leading cloud-based productivity suites offer robust compliance features that can ease the burden of monitoring insider activity. Still, these features must be configured to meet the specific needs of each organization, depending on its compliance obligations, top risk factors, size, industry, risk tolerance and other unique factors.

For instance, companies in the financial services industry have strict, specialized compliance requirements for what data must be preserved and for how long, as well as what types of activity may signal a violation. An organization in a less regulated industry, but with a multi-national footprint, will likely be more concerned with monitoring for compliance with broad regulations within specific jurisdictions. Separately, organizations in highly competitive industries like high tech and manufacturing may need to focus on monitoring compliance with internal policies that protect IP and trade secrets.

All these nuances must be accounted for when compliance functionality is implemented within Microsoft 365 or other systems. There are several considerations compliance teams should address when assessing their current insider risk management processes and looking to automate certain controls within their existing platforms. These include:

  • If the organization has an up-to-date framework that defines its compliance obligations, risk profile and areas that have been raised as top concerns within the organization (e.g., IP protection, data privacy, employment issues, etc.).
  • How the organization has been performing in managing risk as employees moved to remote work, and whether changes in the data footprint have been adequately accounted for in compliance processes.
  • Existing or lacking processes and controls to restrict access when employees depart.
  • The extent of behaviors, words, activities and other indicators that are defined within the system as red flags. Assessing and continually fine-tuning these triggers is integral to establishing an effective detection and prevention program to catch issues before they escalate.
  • What activities have been historically monitored and whether there are any significant gaps that need to be filled. For example, whether the compliance team is actively monitoring for outlier behavior, such as employees accessing files they don’t normally access, visiting unusual external domains, working at odd hours or making significant changes in their working patterns.
  • Current acceptable use policies for personal devices, remote working and use of collaboration tools and whether the policy and training are in place to support enforcement.
  • Whether existing systems have the ability to continuously inform and improve proactive monitoring based on learnings from previous incidents. By establishing a feedback loop, behavioral analytics and other monitoring tools can perpetually improve, so that they become more accurate at deciphering between concerning and benign activity and communications.

Like all areas of digital risk, insider risk management is becoming at once more difficult and more important. Organizations can leverage their existing tools, like Microsoft 365, but should also recognize that these tools must be supported with expertise and customized workflows in order to enable robust compliance. FTI Technology is continually working with cloud-based systems, productivity suites and collaboration platforms, like Microsoft 365, to understand how they can be optimized for challenging risk and compliance use cases like insider risk management.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.