Evolution of Data Loss Prevention to Insider Risk Management

/ Insider Risk Management / By

Summary

Data breaches often make the news, and insider threats can cost businesses a lot of money. Because of this, traditional data security methods need to change. What started as Data Loss Prevention (DLP) has changed into a broader, more innovative practice called Insider Risk Management (IRM). This change shows how threats have evolved; understanding intent, behaviour, and context is as important as the content.

The Rise of Data Loss Prevention (DLP)

Before discussing Data Loss Prevention (DLP), it’s better to understand its history and evolution.

  • Data security concerns started as early as the 1960s-1980s, when mainframe computers started handling sensitive business and government data.
  • The widespread adoption of the Internet and email in the 1990s brought a surge in cyber threats, including hacking, phishing, and data theft. Major data protection laws emerged at this time.
  • HIPAA (1996) – Protecting healthcare data in the U.S.
  • Gramm-Leach-bliley Act (1999) – Securing financial data.
  • Data Protection Act (1998, UK) – Early privacy law governing personal data handling.
  • 2006-2007: The term “DLP” was coined and popularised by Gartner.
  • The first mentions of DLP date back to the early this century. According to a 2008 SANS Institute paper, the term “DLP” gained traction in 2007, although its functionalities were partially available in other software before that.

Data Loss Prevention (DLP) solutions help to identify, monitor and prevent unauthorized data movement based on business requirements, policies and rules which contains conditions and actions. Some examples of these include but are not limited to,

  • Monitoring / Preventing the emailing of credit card numbers externally.
  • Monitoring / Preventing downloads of sensitive intellectual property to personal devices.
  • Monitoring / Preventing file transfers to unmanaged cloud platforms.

Data Loss Prevention (DLP) is important for meeting regulations like Health Insurance Portability and Accountability (HIPAA), General Data Protection Regulation (GDPR), and Payment Card Industry Data Security Standard (PCI-DSS). It works by checking content, organizing it, and applying rules. DLP often uses techniques such as pattern matching, fingerprinting, and labelling.

Although DLP is crucial, it also has challenges such as,

  • False positives
  • Inflexible rules that do not adjust to user needs or situations
  • Limited visibility into modern collaboration tools (Teams, Slack, etc.)
  • Difficulty in telling apart careless, negligent, and malicious behaviour

Today, traditional data loss prevention (DLP) solutions still exist, but changes in the security industry mean that evaluating DLP products without considering newer developments, like machine learning, data classification, and cloud-based data protection, has less value. Additionally, there has been little change in DLP technology, and many companies appearing in evaluations have merged. Gartner stopped updating the DLP Magic Quadrant after 2018, which shifted attention to other reports about Security Service Edge (SSE) and Insider Risk Management (IRM) as the future of data security and enterprise DLP.

The Emergence of Insider Risk Management (IRM)

Insider Risk Management (IRM) has evolved from a narrow focus on malicious insiders to a broader, risk-aware discipline that considers careless, negligent, and compromised behaviours equally critical.

  • The early 90s focused on Malicious insiders in government and military contexts.
  • The 2000s focused on protecting sensitive data from exfiltration through policy-based controls (DLP)
  • In the 2010s, Behavioural Analytics Enters the Scene, Government and large enterprises began formal insider threat programs, including cross-department collaboration (Security, HR, Legal)
  • 2015 to 2019, the emergence of Insider Risk and the conceptual shift from “threat” to “risk” acknowledged that not all insider incidents are malicious; however, definitions broadened to include carelessness, negligence, and compromised accounts.
  • 2020 to the present, vendors have started building modern IRM platforms and integrated ecosystems, and developments such as behavioural risk scoring, risk-based policy enforcement, and automated workflows have been introduced (platform examples: Microsoft Purview, Code42 Incydr, Forcepoint Insider Threat & Risk Adaptive Protection, etc.).

IRM shifts the focus from just blocking actions to understanding users, assessing context, and intervening proportionally. It encompasses:

  • User behaviour analytics (UBA) and machine learning to detect anomalies
  • Risk scoring based on a combination of user activity, data sensitivity, and historical trends
  • Collaboration between security, HR, and compliance teams
  • Automated playbooks to escalate, educate, or block, depending on risk level

For example, a departing employee downloading hundreds of confidential files to a USB might trigger a real-time alert, not just because of the data type but also because of unusual activity patterns combined with a change in employment status.

IRM Is Not Just Technology—It’s a Program

Organizations need more than just tools to implement insider risk management (IRM) effectively. They require a governance framework that includes:

1. Clear risk tolerance levels

2. Employee training and awareness programs

3. Straightforward policies for privacy and data ethics

4. A cross-functional insider risk committee

IRM focuses on creating a culture of trusted transparency. This means ensuring data security supports user productivity and builds organizational trust.

Key Differences: DLP vs. IRM

FeatureData Loss Prevent (DLP)Insider Risk Management (IRM)
FocusContent-based controlsUser behavior and context
DetectionPattern matching, policiesAnomaly detection, risk scoring
ResponseBlock/quarantineEscalation, education, targeted intervention
VisibilityPerimeter and endpoint-centricOrganization-wide, including cloud and identities
CollaborationMostly IT/securityCross-functional: Security, HR, Legal, Compliance

The change from Data Loss Prevention (DLP) to Information Rights Management (IRM) marks a move from controlling security to using a risk-aware approach. As threats grow more complex and insider risks increase, organisations need to adopt methods that consider the context and focus on people when protecting data.

This new approach aims not just to stop data loss but to manage risks, maintain trust, and support secure collaboration.

About the author

Ajith Nair (LinkedIn profile)

Senior Manager – Technology Consulting

Protiviti Canada

References –

https://www.endpointprotector.com/blog/data-loss-prevention-the-complete-guide

https://www.cyberhaven.com/guides/what-happened-gartner-dlp-magic-quadrant