Insider Threat Management

7 Ways to Better Understand the People Behind Insider Threat Incidents

Share with your network!


The key to detecting and stopping insider threat incidents from happening starts with understanding the people who are behind them. Who are they? What are their wants and needs? What problems do they face?

If you can’t answer these basic questions, you are setting yourself (and your organisation) up for failure. This is because of one very important, yet often overlooked, truth:

“Understanding is a two-way street.”
- Eleanor Roosevelt

Expanding the Scope of Who is an “Insider”

We, as humans, tend to view things from a very limited perspective. Namely, “what impacts me, and my goals.” This is not to suggest that your own personal well-being and goals are not important – far from it. But thinking and acting within a vacuum is not the best way to establish trust and understanding among two or more parties.

And trust and understanding are at the very heart of cybersecurity. Particularly when it comes to the insider threat problem.

Without them, all of the rules, policies, processes, and technologies implemented in the name of security and protection are for nothing. You’d be working against the current, rather than harnessing it.

How to Better Understand Potential Insider Threats

In the name of progress, we’ve created a list of 7 ways to help you better understand the people behind insider threat incidents.

And there is an emphasis on people. It is really crucial to remember that despite all of the high-profile stories, and daunting statistics, the perpetrators of these incidents are just like you and me.


[click_to_tweet tweet="Ultimately, insider threats are people, not monsters." quote="Ultimately, insider threats are people, not monsters." theme="style3"]

With that said, here are some great ways to get to know them better so that we can all detect potential insider threat incidents and stop them:

  1. Know who has access, and why

    If there is one universal constant across all forms of communication, it is the importance of knowing your audience. The same goes for detecting and stopping potential insider threats.Who are they?

    Consider your organisation’s employees, as well as your third-party contractors and vendors. What departments do they work in? Do they have specific titles or roles? How might these answers affect their access levels to valuable systems, files, and data?

    Work with each department, including legal and human resources (HR) to make sure that you have an up-to-date record of new or changing access variables. If you need more visibility, consider how insider user accounts for technologies are created, accessed, and managed, and implement processes and tools that make it easier to identify an individual when necessary.

  2. Identify the problems that they face day-to-day

    Everybody has problems that they’re facing. Make sure you’re not the cause of 99 of them, by considering your audience (your insiders) each and every step of the way.

    Try to identify what kinds of scenarios that they find themselves in every day, as they try to accomplish their work. Are they stuck using older hardware? Is there an inability to update or install software updates on their own? Do they work in the office, or are they remote? Can they connect to company resources via their internet connection?

    This all leads into how you need to…

  3. Consider the ways in which people must work

    Every team and every role have very specific ways, and tools, needed to do their work effectively. While your end goal is to safeguard the organisation against cybersecurity risk, there is huge potential for security policies and tools to become a barrier to organisational performance.

    If anything, aim to be more of a guardrail than a barrier – something there to keep people in line with cybersecurity best practices.

    For example, if your organisation requires constant sharing and distribution of documents and files, implementing tools or processes that block file movement isn’t a smart move. Especially if there is no alternative method for moving files around between – say for example –marketing and sales teams.

    The truth is that people will always find workarounds, and they may expose your organisation to greater risk of an insider threat incident! It’s best to find balance.

  1. Catalog your policies and regularly collect feedback

    Finding a good middle ground for your cybersecurity policies can be difficult if you don’t offer ways for the people in or working for your organisation to view said policies or offer feedback.This is the best way to hear if there are any specific points of frustration, while inspiring a positive cybersecurity culture to form. People want to be heard, and if you’re willing to be transparent with them, they will be more likely to be transparent with you.

  2. Proactively educate insiders on policy

    There is a strong tendency for an “us versus them” mentality to form between cybersecurity teams and insiders, particularly if policies are seen as limiting to personal freedoms.To avoid this scenario, consider how you might inform and educate your organisation about new or updated policies.

    Can you get ahead of any potential negativity by communicating more transparency (and clearly!) about best-practices and limitations? Are there tools that you can use to politely notify an insider that the action they are taking may be out-of-policy, and coach them about alternative options?

  3. Measure activity that runs counter to policies

    Once you start proactively educating your insiders about policies, particularly with in-the-moment prompts, consider how you might be able to measure activity that runs counter to the policies in place.For instance, if you block access to Gmail and you notice a trend of insiders trying to access these services (despite prompts stating the policy), you know that there is a problem. Either your organisation’s employees or third-party contractors: 1.) don’t care about the policy, 2.) still didn’t read it, or 3.) don’t have a viable alternative.

    These learnings will help you better understand their motivations – or ask follow-up questions to fill in the gaps.

  4. Be willing to have a conversation

    If you want to understand somebody you have to be willing to talk to them and listen to their perspective on things. Even cybersecurity!

    Yes, it’s really that simple.

Detect and Stop Insider Threat Incidents

Proofpoint’s Insider Threat Management platform helps teams get the risk context they need, by capturing a more complete picture of risky or out-of-policy user and file activity.

But don’t just take our word for it…

Try Proofpoint ITM for Free