Read the article below or watch YouTube video:

Why Anonymizing Users Matters

When it comes to Insider Risk Management (IRM), one of the key features is the anonymization of users. But why is this important? Let’s break it down.

First off, respecting user privacy is crucial. Anonymizing users helps protect their identity during the investigation process. This isn’t just about being polite; it’s about avoiding unnecessary HR repercussions that could arise if sensitive information gets out too early. Privacy is a big deal, and anonymization helps keep it intact during alert investigations.

The second reason is to rule out bias. Think about it: if someone is investigating a case and they see the name of a user who happens to be their buddy or a well-known coworker, they might struggle to believe that such a nice person could be involved in something shady. This could lead to the investigator, or even the person managing the alerts, being more likely to dismiss the case or not escalate it properly.

On the flip side, imagine if a big boss triggers an alert. The information worker might hesitate to investigate because, well, who wants to poke around the activities of someone so high up? There could be fear of repercussions or the assumption that someone in that position has "special privileges," leading to the alert being ignored or the case being dismissed.

In both scenarios, anonymization helps ensure that investigations are conducted fairly and objectively, without personal connections or organizational hierarchy clouding judgment.

Setting Up User Anonymization in IRM

To scramble user identities, you need to go to the Privacy option in IRM Settings. This is a global setting that applies to the entire Insider Risk Management surface without exceptions. The pseudonymized version of the username will be shown across all IRM alerts, cases, and everywhere else.

Note that anonymization is a default setting.  

Anonymization in Action

Now, let’s take a closer look at how anonymization functions within Insider Risk Management.

Below, you’ll find screenshots that show the anonymized user information across IRM:

Users:

Alerts:

Cases:

Case:

User Details:

As you can see, all user identities are replaced with pseudonyms, ensuring that no real names are visible during these stages of investigation.

But this leads to a common question: How do we actually find out who the user is if we confirm they’re a rogue insider?

Revealing User Identity

Once you’ve confirmed that a user might be involved in potentially harmful activities, the next step is to uncover their true identity. In Insider Risk Management, this isn’t done lightly; to reveal the user's identity, you must escalate the case. Escalation of the case creates an investigation case in eDiscovery (Premium).

Escalate Case

Navigate to the IRM Case that you need to escalate.

Under the "Case actions" menu select "Escalate for investigation":

Fill Out the eDiscovery Case Details 

In the fly-out panel, you’ll need to enter an eDiscovery Case name and notes, both of which are mandatory fields.

Note that the source of the eDiscovery Case will be IRM.

Once the case is escalated, the eDiscovery (Premium) case will be created for the user, allowing you to perform detailed content searches and track all user activities that IRM does not cover.

Notification to eDiscovery Managers and Admins 

eDiscovery Managers and eDiscovery Admins will be notified about the case creation, ensuring that the appropriate team is aware and ready to take the next steps.

In eDiscovery, once a case is created, access to that case is typically controlled by eDiscovery Managers or eDiscovery Admins. These roles have the ability to assign permissions and add other users to the case. The person who was the owner of the case in IRM does not automatically get access to the eDiscovery case unless they are specifically added by an eDiscovery Manager or Admin.

So, only eDiscovery Managers or Admins can assign people to the case in eDiscovery, and access is not automatically granted to the IRM case owner.

Find IRM Case in eDiscovery

Navigate to Discovery (Premium) and locate the eDiscovery Case that you created in the previous step:

Select "Data Source" Tab.

Revealing the user

You can now see the user name under the "Source name" column.

In this example, the rogue employee is revealed to be... Oskar the Grouch!

Now, before you think I'm investigating a beloved Sesame Street character, let me clarify—this is actually the name of my 120-pound guard dog. And while Oskar might be great at keeping intruders out of the house, I can assure you he's not involved in any insider threats!

Check the following blog post to learn more.