Insider Threat Management

Professionals Series: Cyber Crisis Management During an Insider Threat Incident

Share with your network!

In a perfect world, incident response efforts would be handled quietly, without the need for cyber crisis management. Unfortunately, the pace of high profile Insider Threat incidents doesn’t show any signs of slowing down (particularly with new disclosure requirements for GDPR and other regulations). In the event of a media crisis, your organisation may consult with outside legal and communications counsel to determine how best to proceed. 

In our latest installment of the Professionals Series, we talk to David Churbuck, cybersecurity crisis expert at Sitrick And Company and founding editor of, about the cross-disciplinary practice of incident response.

Prep and Planning is Crucial

According to Churbuck, proper preparation and planning for an Insider Threat incident response is one of the most crucial steps that many companies neglect -- until it’s too late. “All too often the response team is assembled after an incident happens,” he says. “But, a lot of the decision-making and approval processes for matters like public disclosures should be put into motion far in advance.” 

In the planning phase, organisations should engage a cross-disciplinary team to determine a communications strategy with well-defined roles and responsibilities. Training sessions and tabletop exercises will help team members understand exactly how their role plays out in the event of an actual incident. Incident simulations may help teams determine how to respond to an incident, and where there are potential areas of strength and weakness with their people, processes, and technology.

At this stage, the security leadership in the organisation should also evaluate the technology stack and review which tools should be used at each phase of the incident response process. In addition, a thorough documentation process should be put into place to help the security team understand exactly what happened and prevent similar incidents from occurring in the future.

Less is More During Insider Threat Investigations

In the early days of a potential incident, there’s always a possibility that an organisation could be caught off-guard and notified by an employee or the media. Ideally, systems would already be in place to proactively detect and alert security teams to potential Insider Threat incidents before they become public knowledge. However, in situations where the organisation learns of a potential breach from a third party, organisations often rush to make public disclosures before it’s necessary -- which could cause reputational damage.

“An active investigation is ongoing; make no assumptions until security researchers know the root cause of an incident,” said Churbuck. “Most Insider Threat incidents are caused by user mistakes, so a preemptive apology could be damaging. Instead, you should be transparent and communicate the facts as you become confident in them. So much of public cybersecurity incident response is about gaining the trust of the press and the community. Focus on the solution and what will be done to fix any potential fallout.”

Dedicated Insider Threat management solutions can speed the investigation process and provide concrete evidence on both user activity and data movement -- helping security teams deliver the facts to legal, compliance, and communications teams in a timely manner. With tools like Proofpoint ITM, a security analyst can use visual capture and replay to understand the chain of events, all the way back to the user who initiated the incident. This type of forensic data is invaluable in the incident response process.

Follow Legal and Compliance Timelines

In the event of a confirmed incident, legal and compliance teams will dictate the timing and the amount of information that’s disclosed to regulators, customers, and the general public. In addition, if necessary, legal teams will work with law enforcement to bring appropriate charges against malicious insiders. All disclosures and legal decisions should be informed by digital forensics data obtained by the security team, as well as any outside research firms that are employed by the company.

“Always make sure the response is commensurate with the incident,” said Churbuck. “It’s important to follow legal and compliance timelines to make sure any response falls in line with the appropriate state-by-state disclosure requirements. And, confidence in the investigation, as well as the resulting evidence, will help organisations avoid the spread of misinformation (or embarrassing retractions from premature disclosures).”

Do you plan to work with outside legal or communications teams in the event of an Insider Threat-related incident? Learn more about building a sophisticated, multi-disciplinary Insider Threat program in our latest guide.