Insider Threat Management

Top 5 Insider Threat Best Practices to Prepare for 2020

Share with your network!

TL;DR New year, new beginnings? Here are Proofpoint's top five best practices to follow in 2020 and beyond when it comes to mitigating Insider Threats.

There’s nothing quite like a new year to inspire change—a new decade even more so! 

Insider Threats have been on the rise for the last four years, with 34% of all breaches caused by insiders according to the 2019 Verizon DBIR. We expect that trend to continue in 2020 and the decade ahead, which means it’s all the more important to level up your Insider Threat defense practices.

When it comes to risk mitigation and organisational security, here are some of the best practices we recommend to approach Insider Threat management for 2020 and the decade to come.

1) Prioritise Contextual Intelligence

There's a lot of talk about the role of artificial intelligence when it comes to security, including Insider Threat management. AI has become a buzzword across many sectors, including security. While there is certainly merit to the concept of AI, and it can be powerful when executed in a smart way, any artificial intelligence algorithm or model is only as good as the data that is fed to it.

From our vantage point, when it comes to using algorithms and computer programs to manage Insider Threats, the real key is to be able to build contextual intelligence—in other words, to have timely data that enables the business to understand the context behind an incident. 

  • What happened before, during and after? 
  • Was the incident accidental or malicious in nature? 
  • Who was really behind it, and what was the end goal? 

Only with this level of context can you respond in a timely and appropriate fashion to Insider Threats.

2) Building Complete Insider Threat Management Programs

Currently, many businesses only have an Insider Threat investigations capability, and in many cases they do not have strong enough tools to run those investigations in a timely manner due to insufficient context, as explained above.

In the new decade, we recommend that businesses adopt Insider Threat detection and response alongside their investigations capabilities, to help them build a more complete Insider Threat management program. 

We also recommend that larger businesses build a dedicated Insider Threat function within their security teams, including hiring personnel and allocating budgets specifically to Insider Threats. This only makes sense given how common these risks have become, and how widespread and costly their fallout can be.

To learn more about what it takes to build a comprehensive Insider Threat management program, get our Ultimate Guide here.

3) Balancing Privacy and Security

As privacy regulations like GDPR spread across the globe, it's becoming a bigger priority for businesses to properly balance their security needs with protecting the privacy of their users (employees and third parties), customers and beyond. 

In 2020, we recommend that all organisations invest in security programs (including Insider Threat management) that put both security and privacy at the heart of their goals. 

For example, with the fine-grained permissions settings available in Proofpoint ITM, companies can ensure that all user activity data is anonymised unless an analyst or information security practitioner absolutely must view the user’s identity. Teams can determine who holds the keys to this information and restrict access to preserve privacy, while still ensuring that anonymised alerts fire when any out-of-policy behaviour is detected.

We won’t lie: It can be a tricky balance to strike, but strong security features like these make it possible. A "privacy by design" mindset enables businesses to protect the privacy of their users without making major security sacrifices.

4) Understanding Root Causes

Insider threats are a tricky and unique beast, not least of all because they can result from either accidental or malicious behaviour by insiders. We recently had an interesting conversation with one of our customers about the importance of understanding the root causes of Insider Threats. 

He pointed out that, while it’s all well and good to chase down Insider Threats as they arise, it’s even better to understand which technologies enable them; which organisational practices inspire them; and how cultural shifts might be able to decrease them. 

These conditions will be different for every organisation. For some, it may be that allowing access to personal cloud storage at work is simply not worth the risk. For others, there is value in a “trust but verify” approach that lets employees use these services but applies an extra layer of monitoring to that usage. 

We can’t provide companies with a single, definitive best practice when it comes to root causes, but we recommend looking at your unique set of user activity data and considering whether there are tweaks that can be made to your policies that will decrease your Insider Threat overall risk. 

5) Start Measuring

In conversations with many organisations, even those with the most sophisticated Insider Threat programs often do not have a robust strategy for measuring the value of their efforts or demonstrating quantitative improvement over time. While it’s no easy feat to measure some aspects of security, there are inarguably areas that can be measured and that we believe should be measured. After all, if you don’t have any way to quantify where you stand today, in 2019, how will you know whether your security posture has improved by this time in 2020—or 2029? 

Some of the metrics we strongly recommend tracking include:

  • Mean time to detection (MTTD)
  • Mean time to resolution (MTTR) Note: Some of our customers measure “time to close an investigation,” which is a related and useful metric. 
  • Return on investment: The cost of security tools and programs vs. the cost of incidents

Here are some other Insider Threat Metrics to Justify Your Program.

Putting a robust measurement program in place will not only make it easier to secure ongoing budget for Insider Threat management, but will also enable team to practice continuous improvement and decrease their risk profile over time as a result. 

Ringing in a New, More Secure Decade

Thank you for reading along here, as always, and we look forward to continuing the conversation on Insider Threat management in 2020 and beyond. We hope these best practices can help inform your strategy as you look to tackle Insider Threats this year. Join us here for more insights, tips, and information on how to best respond to Insider Threats in the real world.