Best practices for creating an insider threat program
A thorough insider threat program includes plan preparation, threat assessment, and plan review and renewal. Learn how to implement this three-step model to protect your company.
Insider threats continue to be a potent attack vector across every industry vertical. Insider attacks -- whether malicious or negligent -- can lead to system outages, data theft, ransomware and advanced persistent threats.
A challenging aspect of insider threats is that they can be even more difficult to detect than external threats. Insiders can capitalize on their unique insights into their organization's systems and launch attacks that are undetectable or appear to fall within acceptable behavioral norms.
Setting up an insider threat program can dramatically reduce a company's risk level. An ideal threat program has three dimensions:
- plan preparation
- threat assessment
- plan review and renewal
Following are best practices to prepare for and set up a complete insider threat management program and fulfill each dimension.
Step 1. Plan preparation
- Get executive engagement and buy-in. Regularly apprise senior management and the board about the potential risk and mitigation of insider threats, as well as request for ongoing support.
- Create a cross-organization dedicated threat team. An insider threat team should not just consist of members of the infosec team. Include HR, legal, audit and finance members who can serve as program ambassadors for companywide training and operations. This cross-pollination provides diverse viewpoints in the program.
- Detail onboarding and offloading procedures. Include how to handle employees, contractors, partners, new hires through M&A and others who have access to company systems or data. Also devise offloading procedures for terminated employees, contractors, divestitures, etc.
- Conduct cybersecurity awareness training. All employees should be trained on the basics of insider threat vigilance.
- Select employees to be vigilant eyes of the insider threat watch. This requires memorable, effective and resonant training. Employees picked should cover a wide demographic and span various functional roles. Training should include awareness of predispositions, stressors and behavioral changes of fellow employees -- as well as proper protocol to report suspicions. Cybersecurity and Infrastructure Security Agency outlined a six-step progression that describes how malicious insiders evolve.
- Develop employee incentives. Create HR oversight and monitoring of employee sentiments after incidents -- for example, salary reviews, layoffs, stock grants and promotions -- to identify and prevent disgruntled insiders.
- Use technology to detect anomalous and malicious activity. On the technical front, identify behavior that could indicate insider threats. This involves monitoring network and host activity and mandating tools that require appropriate monitoring of IT systems. Security monitoring platforms can be used to review how employees access and use company data and flag potential violations. Behavior analytics software and SIEM products can be used to audit activity to discover anomalous actions.
Step 2. Threat assessment
When an incident is reported, the threat team needs to be activated immediately, and a timely decision needs to be made about whether the threat is negligent or malicious.
If negligent, the incident needs to be flagged for follow-up to update the cybersecurity awareness training program and/or the technical indicators.
If the incident is determined to be malicious, initiate the following:
- Launch a thorough risk assessment.
- Based on the assessment, recommend appropriate intervention actions.
- For emergency situations that involve an immediate threat to physical safety, activate the company's emergency response plan, and contact local law enforcement.
Step 3. Plan review and renewal
- Market changes. Keep up to date with new and changing regulations, competitive breaches, stock market swings, etc., and update the preparation stage processes, trainings and operations to reflect any changes.
- Societal changes. Elections, wars, violence, demographic shifts and so forth need to be factored into potential threat triggers. Update the plan preparation and threat assessment stages' processes, training and operations as needed.
- Technological changes. Always be aware of new detection tools, better analytics to reduce false positives and technology-driven changes, such as metaverse, nonfungible tokens, cryptocurrency, and their effect on the plan preparation and threat assessment stages' processes, trainings and operations.
Insider threats will continue to be a persistent threat vector for the foreseeable future. Following this three-stage methodology greatly reduces the risk of suffering malicious or negligent insider attacks.