3 Key Takeaways
- In Australia, a cyber incident hits a small business every six minutes, with an average cost of around AUD $49,600 (ACSC, 2024). Some analysts estimate that 50–60% of SMBs never fully recover after a serious breach — a stark reminder that security, including Microsoft Insider Risk Management, is a matter of business survival.
- Insider threats remain an underappreciated risk for many SMBs.
- The good news: if you already have Microsoft 365 E5, you own tools like Purview IRM, Sentinel, and Defender to protect your trade secrets and IP. Microsoft’s 2025 updates strengthen insider risk detection — but remember, technology alone won’t replace a complete insider risk management program.
Managing insider risk protects your business and your investors
According to the Australian Cyber Security Centre (ACSC, 2024), a cyber incident hits a small business roughly every six minutes, with an average cost of AUD $49,600 per incident. Even worse, some commentators suggest that 50–60% of SMBs never fully recover after a serious cyber attack. That’s not just IT drama — that’s business survival at stake.
If your business is R&D-intensive — biotech, advanced manufacturing, materials science — then your currency is intellectual property. You breathe it, you sweat it, and let’s be honest, you probably worry constantly that someone will steal it. And the reality? That threat isn’t always knocking from outside your firewall. Often, the biggest risk comes from inside your own walls: departing scientists, disgruntled engineers, or even well-meaning employees who don’t realize that “just sharing” can leak your crown jewels.
When it comes to insider threats, most large companies, let alone SMBs, are still playing catch-up. In this article I will explain how you the tools you’re probably already paying for through your Microsoft licensing can help. But first, a short case study:
Case Study: The GSK Scientist
In a high-profile U.S. DOJ case, a GlaxoSmithKline scientist emailed proprietary drug formulas to a company in China, causing over $500 million in lost R&D and IP value.
Now imagine this scenario under Microsoft Purview + Sentinel in 2025:
- The formulas live in SharePoint, Teams, or OneDrive and are labeled with sensitivity (e.g., “Confidential – R&D”).
- Purview ties labels to protection rules: “cannot be emailed externally — or must require justification.”
- Attempting to email triggers Insider Risk Management (IRM) alerts or blocks the action.
- Sentinel’s UEBA detects abnormal behavior — unusually large downloads, off-hours activity, or new endpoints.
- Alerts are combined across Purview, Defender XDR, and Sentinel, giving analysts a clear, high-priority case.
- Purview’s data risk graph visualises 30 days of activity, helping triage faster.
With early detection and response by configuring tools you already have, this sort of damage to IP, commercialisation timelines, and investor confidence could be significantly reduced — maybe even avoided entirely.
If you already have Microsoft 365 E5, you own more of the solution than you think. And now, the latest 2025 updates to Purview and Sentinel have added serious muscle to detect and prevent insider threats — but only if you integrate them into a proper insider risk program and fill in the process gaps.
How Purview + Sentinel Fit Into Your Insider Risk Program
Here’s how Purview + Sentinel support the implementation of your Insider Risk Program:
| Program Component | What Purview / Sentinel Provide (2025) | What Program Managers Must Do | Gaps / Limitations |
|---|---|---|---|
| Asset Identification & Classification | Sensitivity labeling and Unified Data Catalogue classify documents, Teams content, and metadata. | Maintain your IP inventory, map critical projects, and align labels to business value. | Doesn’t cover physical lab notebooks, test rigs, or bespoke machinery metadata. |
| Policy Definition & Risk Indicators | Configure policies in Purview IRM (e.g., “sharing of Confidential documents”) and integrate generative AI risk indicators. | Decide which policies matter, define thresholds, and engage legal/HR. | Microsoft provides generic templates—not biotech-specific models like gene sequences. |
| Behavioral Analytics & Detection | Sentinel UEBA builds baselines, flags deviations, and correlates with IRM alerts. | Tune models regularly, review false positives, and interpret alerts in domain context (e.g., why a scientist downloaded 10 GB after hours). | Entity profiles may miss domain nuances like lab equipment logs or custom LIMS. |
| Continuous Monitoring & Log Retention | Sentinel Data Lake allows long-term retention and unified analytics; Purview data risk graphs visualize user activity over time. | Decide which logs to ingest (QMS, LIMS, endpoints) and maintain connectors. | Doesn’t automatically capture lab instrument logs or IoT devices without custom integration. |
| Access Control & Offboarding | IRM ties into DLP and Entra conditional access; alerts feed into Defender XDR & Sentinel for unified incident management. | Enforce least privilege, automate offboarding, and review permissions periodically. | No direct control over physical access systems or lab network zones outside Microsoft domain. |
| Training & Culture | Insights highlight risky behavior trends and feed training content. | Run tailored awareness programs, embed reporting culture, and address willful breaches. | Tools don’t provide morale incentives or human trust programs—that’s still on you. |
| Incident Response & Investigation | Alerts integrate across IRM and UEBA; workflows allow escalation. | Define incident playbooks, coordinate with HR/legal, and conduct root cause analyses. | Doesn’t integrate into lab SOPs, physical forensics, or external partner investigations. |
The takeaway? The tools assist, but they don’t replace your program. Success comes from aligning process, domain knowledge, and tool tuning.
Benefits and Limitations of the Lastest Update
Most SMBs already have Microsoft 365 E5, which as of 2025 includes:
- Microsoft Purview Insider Risk Management & Information Protection – label sensitive data, prevent unauthorized sharing, and configure insider risk policies.
- Microsoft Sentinel – aggregate alerts, correlate user/device/system events, and analyze anomalous behavior with UEBA.
- Defender for Cloud Apps – monitor shadow IT, risky data exfiltration, and suspicious external sharing.
These tools are powerful — but they work best when embedded in a full insider risk program that combines technology, policies, monitoring, and response.
The benefits of UEBA illustrated with a simple example:
Meet Dr. Lee, your molecular biologist: Normally, Dr. Lee downloads 2 GB from SharePoint each evening. UEBA quietly learns that pattern. One night, Dr. Lee downloads 20 GB and tries to email a zip labeled “Confidential – Patent2027” externally. Purview IRM immediately flags it. UEBA notices the 10× spike and unusual context — after hours, from a new endpoint — correlates it with the IRM alert, and surfaces a high-priority anomaly. Analysts see it in Sentinel, triage the alert, and kick off the response. The key point here is that UEBA doesn’t monitor every email or attachment. That’s IRM/DLP territory. Instead, UEBA focuses on patterns, deviations, and context, giving you the early warning signs before any damage is done.
When it comes to using this practically, however, there are some limitations that you’ll need to keep in mind:
- QMS/LIMS logs: These systems store formulas, protocols, and test data. Purview and Sentinel don’t automatically ingest them — you’ll need APIs, Syslog, or custom connectors to detect anomalies in your crown-jewel IP.
- Physical security systems: Badge access logs (e.g., Gallagher Command Centre) can feed into Sentinel UEBA via REST APIs, correlating physical and digital access.
- Policy alignment: Insider Risk Management policies must coordinate IT, compliance, and R&D to cover all sensitive assets effectively.
Total Cost of Ownership (TCO)
Let’s talk dollars — because even the best plan is irrelevant if it’s financially out of reach.
Access via E5: Your Hidden Advantage
If you already have Microsoft 365 E5, many Purview insider risk features — IRM, sensitivity labeling, and analytics — are already included. You don’t need to pay more; you just need to turn them on and configure them thoughtfully.
Sentinel Pricing Model
- Sentinel charges per GB of data ingested, plus extra for long-term retention.
- The new Sentinel Data Lake GA reduces the cost of historic logs (1–2 years).
- High-volume sources like IoT devices or lab instrument logs can push ingestion costs up, so start with high-value systems first.
Implementation & Ongoing Management Costs
Consulting to deploy, tune, and integrate Sentinel + Purview usually starts around USD ~$25,000 for modest scopes. Costs typically cover:
- Policy workshops — which trade secrets need which protections
- Connecting QMS/LIMS/instrument logs via custom middleware
- Alert tuning, user onboarding, and training
- Ongoing maintenance — reviewing false positives, adjusting thresholds, rotating policies
You’ll also need a security analyst or compliance lead (or a good consultant) to monitor alerts, triage cases, and evolve the models.
So what does this mean for you? The cost of doing nothing is far higher: lost investor confidence, competitive leakage, and compromised commercialization. Even a single IP breach that trims your valuation by 5% in a funding round could outweigh all of these tool and service costs combined.
Putting It All Together: 6 Steps to Roll Out an Insider Risk Program
Here’s a practical roadmap you can follow:
- Audit Your E5 Entitlements
Check which Purview insider risk features you already have. Chances are, you own more than you think — just waiting to be switched on. - Pick Your Initial Policy Domain
Keep it simple. Start with protecting R&D documents, blocking external sharing of “Confidential” files, and monitoring abnormal downloads. - Connect Critical Systems Gradually
Ingest data from SharePoint, Teams, QMS/LIMS, and instrument logs. Use the Insider Risk Indicators import path where possible. Start with your crown-jewel systems; you can expand later. - Enable UEBA in Sentinel
Turn on UEBA and let it build behavioral baselines over 30–90 days. This is where the tool learns what “normal” looks like for your team. - Tune, Triage, Repeat
Review alerts, adjust thresholds, suppress noise, and track metrics like alert volume, conversion rates, and response times. Insider risk management is iterative — not a set-and-forget exercise. - Embed Process, Training & Governance
Align IT, HR, legal, and management. Implement offboarding, access reviews, insider threat training, and domain-specific workflows. Tools alone aren’t enough; people and processes make the difference.
Call to Action: Pick a Small Use Case & Make It Real
Insider threats aren’t theoretical — they directly put your trade secrets, research, and commercialisation efforts at risk. Your Microsoft 365 E5 licence already gives you powerful tools, but only if deployed strategically within a formal insider risk program.
Start small: pick a critical system or high-value dataset, configure your policies, turn on UEBA, and watch how the alerts and patterns help you detect anomalous activity early. Over time, scale your coverage. Don’t let leaks or fraud cripple your business.
Further Reading
- ACSC (2024). Annual Cyber Threat Report 2023-2024
- Curwell (2025). Crafting Security Business Cases for Executive Buy-in
- Curwell (2025). The 3 SMB Risk Management frameworks you need to protect your business
- Curwell (2025). Integrating Security into Quality Management Systems
- Curwell (2025). Biotech and MedTech Investors Are Demanding Security and Resilience: Are You Ready?
- Deloitte (2024). Canada Insider Risk Survey
- Microsoft (2025). What’s new in Microsoft Purview
- Microsoft (2025). Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
DISCLAIMER: All information presented on PaulCurwell.com is intended for general information purposes only. The content of PaulCurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon PaulCurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.
