Insider Threat Management

How to Confront an Insider Threat

Share with your network!

So, you’ve successfully detected, and then investigated a potential insider threat. You’ve learned a great deal about that user (be it an employee or a third-party contractor), including who they are, what happened, when, where, and also why, thanks to the visibility given to you by your insider threat management solution.

You’re ready to take action. The data-backed evidence you need is there, in both video and textual log form. But how do you confront the perpetrator?

The short answer is, you don’t. The reason why comes down to two things: your role-based expertise, and your overall intentions.

Know Your Role

By definition, your expertise and role as a cybersecurity professional relates primarily to cybersecurity. Any matters of personnel management, reprimanding, etc. should involve members of Human Resources and/or Legal, depending on the severity of the situation at-hand. To do otherwise may welcome undue risk upon yourself, your team, and your organisation as a whole.

Intention wise, it’s more of the same. Consider the meaning of the word “confront” for a moment. It has associations that are primarily negative – when you confront someone, you’re challenging them, and welcoming a response. More often than not, that response will be anything but positive, increasing risk.

No one wants that.

How to De-Escalate the Potential for Conflict

If the way that your organisation is structured demands that your cybersecurity team is responsible for the immediate conversations following an insider threat investigation, consider these handy conflict resolution tips:

  1. Show Empathy

    Your insiders are your greatest asset, as well as your greatest risk. Their challenges, concerns, and frustrations are valuable. A little empathy can go a long way towards building trust in your efforts, the importance of cybersecurity, and improving your programs.

  2. Think Before You Act

    Not all insider threat incidents are malicious. In fact, most are accidental! Take time to consider the perspective of your insider, and how you may be able to improve policies and policy communication. You may discover that they are creating a barrier from your insiders doing what they do best – their jobs!

  3. Be Prepared to Listen

    Listening to what people have to say is a great way to de-escalate a situation. Oftentimes not feeling heard is a factor in building up tension that leads to an outburst, or built-up defenses that may re-assert negative preconceptions about things like, say, “burdensome” cybersecurity policies.

  4. Find Agreement Points

    If you can find common ground, you can find a way to move forward in a conversation.

  5. Provide Guidance

    Depending on the insider threat incident’s severity, you may want to consider providing guidance into what the user might be able to do better in future. For example: if your organisation bans cloud storage apps, the user might find it helpful to learn about how your VPN works, etc.

In addition to these tips, consider how else you might be able to prevent insider threat incidents from occurring in the first place.

If you can detect a potential insider threat based on user activity, why not provide a guided prompt in real-time that coaches that user on cybersecurity policy? Are you capable of blocking out-of-policy activity? Do you have easy-to-understand policies in place, in a location that anyone can access and respond to?

Final Thoughts

Remember: insider threat management isn’t just about technology. It’s a holistic approach that balances People, Processes, and Technology in an effort to bring about a culture comfortable with improving and maintaining organisational cybersecurity health.


Learn how Proofpoint's insider threat management software can help your business detect, prevent and investigate insider threats effortlessly.