Incident Response
BrandView

Best practices for insider threat mitigation

Detecting and mitigating against insider threats is one of the most difficult challenges companies, organizations, and governments face today. This is partially because insider threats are frequently misunderstood, owing to assumptions that are often inaccurate or untrue. This guide provides insights into best practices organizations have learned while developing, managing, and enhancing their Insider Threat Programs (ITP). This guide will serve as an accurate and in-depth resource for understanding and mitigating insider threats.

TIPS FOR YOUR ORGANIZATION’S INSIDER THREAT MITIGATION PROGRAM

Always assume that serious insider threat problems already exist in your organization. Effective communication and collaboration with key stakeholders across different departments (security, HR, IT or network security, etc.) is critical to insider threat detection and mitigation. A lack of

communication between key stakeholders can lead to blind spots and the inability to create an accurate snapshot of potential and actual insider threats.

Familiarize yourself with industry reports to gauge your organization’s susceptibility to insider threats. An insider threat can be anyone with access, intentions, and opportunity to fulfill objectives that run counter to the organization’s. It does not matter what the size of your organization is. Every organization is susceptible to insider threats. There is a consensus among insider threat mitigation experts that many insider threat incidents are not reported. Here’s why:

• Since the definition of an insider threat can vary, how insider threat incidents are categorized and reported can lead to inaccurate reporting. For example, most industry surveys and reports focus on computer or network incidents and potentially ignore other incidents such as fraud.

• An organization that prosecutes an employee will most likely appear in public court records. Some organizations do not disclose publicly or pursue criminal charges for this reason.

BE AWARE OF UNINTENTIONAL INSIDER THREATS.

Unintentional insider threats can be just as costly and damaging as malicious, intentional ones.

In 2018 McKinsey & Company reviewed the VERIS Community Database, containing about 7,800

publicly reported breaches from 2012 to 2017, to identify the prevalence of insider threat as a core element of cyber-attacks. The research found that 50% of the breaches studied had a substantial

insider threat Component, but most were not malicious. Negligence and co-opting accounted for 44% of

insider-related breaches.

What types of insider threats should you be on the lookout for? See the list for examples.

• New employees bringing in stolen information from their previous employer

• An outsider with connections to an insider in the organization

• Employee threats (includes contractors and trusted business partners)

• Disgruntled employees or job jumpers

• Divided loyalty or allegiance to US, terrorism, or espionage

• Data theft, data destruction, or information technology sabotage

• Embezzlement, fraud, theft

• Insiders who are unwitting, ignorant, or negligent

• Phishing (credential theft through which criminals pose as insiders)

• Criminal-insider threat collusion

• Nation-state sponsored espionage

• Insider threats during mergers and acquisitions

• Company downsizing or reorganization (morale issues, financial concerns, divided loyalties)

• Workplace violence (bullying, sexual harassment)

TIPS FOR YOUR ORGANIZATION’S INSIDER THREAT MITIGATION PROGRAM

Think of your insider threat program as Security 2.0. See insider threat mitigation as another prism through which to improve overall security. Evaluate your organization’s overall security posture. Make your security culture more proactive through positive incentives and encouraging employees to take security more seriously. Consider implementing a Security Vulnerability Rewards Program.

Get employee buy-in. Employee buy-in is essential for an ITP. Employees should understand the importance of the ITP, its purpose, and how it protects everyone from privacy, financial, and even physical security threats.

Organizations should communicate the ITP to the workforce via a formal policy. Employees must be aware of their responsibility to report behavioral indicators of concern in a secure, private manner.

Insider threat mitigation involves the whole organization. Insider threats are an organizational and human problem that must be addressed from the top of the organization on down. There are many different factors that contribute to the insider threat problem and understanding these factors is essential for ITM.  Evaluate policies, procedures, and business

processes across various departments such as security, human resources, IT and network security, etc. to ensure they are robust and effective for mitigating insider threats.

Benchmark, improve and update your program. Managing an ITP is continuous process. An ITP needs to adapt and adjust to an organization and its security culture. You may need to tweak or enhance your ITP periodically to ensure it remains robust and effective against the evolving threat landscape. Conducting benchmarking or a maturity

assessment against other organizations’ programs is a very good way to see how well your ITP stacks up against others.

Consult with Legal. There are many laws related to employee privacy and monitoring, as well as legal considerations or concerns for ITPs. Consult with an attorney that specializes in legal considerations for ITPs to ensure your organization has legally sound processes and procedures to collect, integrate and analyze

various data sources for potential or actual insider threats.

Make sure to include NDAs and Codes of Ethics. All individuals managing or supporting an ITP should sign a Non-Disclosure or Code Of Ethics Agreement specific to the ITP. Give the ITP Manager and those supporting the ITP Working Group (ITPWG) appointment clearly defining their roles and responsibilities.

Don’t rely solely on background checks. Background checks are a point-in-time snapshot of an employee. Gathering and analyzing internal data sources is very important for insider threat detection. Equally important is knowing what external data sources are also available to create the big picture of potential or actual insider threats. To be more proactive in detecting and mitigating insider threats, many organizations use post-hire solutions that allow the employer to continuously monitor an employee for indicators of concern. With these solutions, organizations can proactively identify employee risks and preemptively address a problem before it escalates.

Network security and employee monitoring is not an ITP. Relying solely on user activity monitoring, behavioral analytics, security event and incident monitoring (SEIM), and data loss prevention (DLP) tools for insider threat detection is one reason organizations still

have insider threat incidents. Insiders can use other methods for data exfiltration that these tools won’t detect. Also, only focusing on employee network behavior ignores a large portion of the employee work-life picture. External employee stress related factors, combined with internal stress and disgruntlement often fuels the fire that ignites into an insider threat.

CONCLUSION

It’s important that you don’t underestimate how damaging an insider threat incident can be to your organization. Below are a few impacts an incident can have on an organization:

• Financial loss

• IT or network sabotage

• Data destruction

• Network downtime

• Data breach and loss of intellectual property, trade secrets, or sensitive business information

• Loss of physical assets

• Reputation or brand equity loss

• Workplace violence

• Loss of business viability

Conduct remote and covert investigations at every endpoint. Expose and investigate a variety of criminal and malicious activities, including data breaches, database tampering, inappropriate sharing of confidential company information, deletion of files, wiping of hard drives, or viewing of inappropriate

content. Discretion can be critical when conducting investigations, and FTK® Enterprise ensures that

employees and teams aren’t tipped off as you as you cull through data.

FTK Enterprise

Conduct remote and covert investigations at every endpoint. Expose and investigate a variety of criminal and malicious activities, including data breaches, database tampering, inappropriate sharing of confidential company information, deletion of files, wiping of hard drives, or viewing of inappropriate

content. Discretion can be critical when conducting investigations, and FTK® Enterprise ensures that

employees and teams aren’t tipped off as you cull through data.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.