“Oh, Jonathan. Hello. It’s Charles Bell here, managing partner of Hawthorne Bell in London.”

Charles sounded uneasy. He had that tight-lipped look of someone who had just discovered a betrayal in the ranks.

“Not good, actually. I fear that we may have a mole.”

A mole? One of their junior associates, Sha Walton, had handed in his notice, but Charles suspected he was copying company data and passing it to competitors. Last week, Charles had caught Sha trying to upload a client document to Google Drive. He nearly fainted.

Insider risk is no joke. Accidental or deliberate, the danger posed by someone inside your organisation is real. Thankfully, Microsoft 365 has a solution called Insider Risk Management.

This tool tracks risky behaviour, unusual downloads, and data transfers. It can even notice changes in behaviour after someone resigns. Policies can be created based on resignations, priority user groups, or unusual activity. It is polite, in a way, letting wrongdoers know that their actions have been seen.

Insider Risk Management is not about snooping. It is about protecting your organisation and your data. The system allows you to define what type of content you want to protect, from documents tagged with sensitivity labels to emails containing sensitive information types. Alerts are generated when risks are detected, and IT security teams can investigate using the Insider Risk Management dashboard or Microsoft Purview.

Licensing and Pre-Requisites

A quick word on licensing: Microsoft 365 Business Premium does not include Insider Risk Management. You will need either Microsoft 365 E5, Microsoft 365 E5 Compliance, or the Microsoft Purview Insider Risk Management add-on.

Before diving into policies, make sure devices are enrolled with Defender for Endpoint, which Purview uses to track insider risk. If your users rely on Google Chrome, install the Microsoft Purview extension. Ideally, everyone should be using Microsoft Edge for full functionality.

Setting Up Insider Risk Management

Once the backend is configured, start with the settings. Turn on analytics to show insights at tenant and user levels. Enable data sharing to export alerts to third-party SIEM systems if required.

Detection groups allow you to categorise domains, file paths, file types, and keywords. For example, free public domains can be flagged for alerts, while trusted partner domains can be excluded. This helps balance security with minimising false positives.

Policy indicators define the activity Microsoft will monitor once a policy is triggered. These include syncing OneDrive content, deleting SharePoint files, risky browser activity, and device indicators. Variants allow you to refine base indicators, for example flagging emails sent only to competitor domains.

Policy timeframes let you look back 90 days if suspicions arise after the fact. Priority user groups are crucial. Employees serving notice, new starters in their first three months, and executives with broad data access should be monitored more closely. These groups can be manually added or uploaded via CSV, and oversight can be assigned to HR or IT.

Creating Insider Risk Policies

With all settings in place, it is time to create policies. Navigate to Solutions → Insider Risk Management → Policies → Create Policy. Microsoft offers quick policies and custom policies. Quick policies are great for getting started.

Take the Data Leaks policy as an example. This detects potential leaks across all users in the organisation. You can name the policy, apply it to all users or specific groups, and set triggers and indicators.

Think of a trigger as the moment Microsoft 365 starts monitoring someone. Indicators are red flags, like downloading many files, emailing sensitive documents, or accessing restricted folders. Thresholds define how much activity is required before alerts are generated. Microsoft provides built-in thresholds, which can be customised over time. The key is to balance security without overwhelming your IT team with alerts.

Variants allow you to refine monitoring further. For example, you can ignore regular attachments but flag emails sent to competitors. Detection options monitor sequences of activities, such as downloading content from SharePoint and then emailing it externally.

Custom policies work similarly. You can target specific groups, like employees serving notice, or focus on particular actions, such as moving files to USB drives. Additional features include monitoring AI usage, security policy violations, health record misuse, and risky browser activity.

Tailoring Policies for Your Organisation

Insider Risk Management is designed for enterprises, not small businesses. It requires Microsoft 365 E5 and careful planning. Creating effective policies means working closely with the business to define what needs protection and where the biggest risks lie.

For Charles Bell and Hawthorne Bell, it could mean the difference between secure data and corporate disaster. By monitoring risky behaviour, detecting unusual activity, and responding quickly, organisations can protect sensitive data without turning the workplace into a surveillance nightmare.

Microsoft 365’s Insider Risk Management allows organisations to monitor, detect, and respond to insider threats with precision. From resignations to unusual file transfers, the system helps businesses stay secure in an increasingly risky digital world.