The risk of an insider threat should not be overlooked. Research for the latest Data Breach Investigations Report from Verizon found that 74% of data breaches involve a human element. That finding underscores the need for businesses—and not just their security teams—to consider what solutions they can implement to protect themselves from careless, malicious and compromised insiders.
An effective way to mitigate insider risk is to take a proactive, programmatic approach to insider threat management (ITM). In this blog post, we’ll look at what this means and what it takes.
Why is it important to take a programmatic approach to insider threats?
When you take a programmatic approach to ITM, you get a variety of business benefits. The most effective ITM programs don’t just focus on tracking data; they also correlate data movement with user activity. This improves a company’s ability to identify risky user behavior and prevent insider-led incidents.
Before you can create an effective ITM program, however, you need to understand the three types of insider threats:
- Careless insiders. These users make mistakes that lead to data loss incidents.
- Malicious insiders. Some employees or third parties (such as contractors, vendors or partners) are motivated by personal gain or are intent on harming the business. These insiders might exfiltrate trade secrets or take intellectual property when they leave the company.
- Compromised insiders. Sometimes, user login information or other credentials are stolen by external threat actors who can use these credentials to access apps and systems.
Understanding these types can help you choose the best response to an insider threat. When you’re developing your ITM program, you should also put processes in place to ensure that cross-functional teams—such as human resources, legal, and privacy and compliance—are involved in an insider investigation, if needed.
4 Basic components of a mature approach to insider threat management
When you set out to build your own formal and proactive approach to ITM, you should aim to include the following four components:
1. Governance and metrics
The foundation of any insider threat strategy starts with governance, which is largely based around people, program and policy. Many companies have governance policies. But they should be reviewed and revised regularly to ensure that they evolve to meet the challenges of new and emerging insider threats.
Continuous improvement should be a top goal for any ITM program. But you can’t improve something that you can’t measure. So, to build and maintain an effective ITM program, companies must identify the metrics that matter most for both compliance and periodic assessments.
2. Detection and monitoring
In today’s world of multichannel engagement, companies should be tracking sensitive data and user behavior across email, endpoints, cloud and the web. This is important for two reasons:
- Humans are often at the center of most data breaches, as noted earlier. That’s why building a security culture at your company matters.
- The longer it takes to resolve an incident, the costlier it becomes. Research from Ponemon Institute found that the average incident takes 85 days to contain. And incidents that take 90 days to contain cost companies $17.19 million annually, on average.
If you want to reduce potential damage from insiders, your ITM program should have a way to not only detect data loss and risky user behavior, but also alert security teams so they can react in real time.
3. Investigation and response
Businesses with a mature approach to insider threat management recognize that incident response is important. Not only should you be able to identify the who, what, when, why and where of incidents, but you should also be able to do all those things quickly.
When context is added with a user timeline, it can help to accelerate insider threat investigations. The speed of an investigation can have a significant impact on how much harm attackers can do.
4. Privacy and compliance
It’s important to consider any relevant compliance regulations and cultural differences across geographies. These details should be incorporated into your company’s security training program and security processes. Make sure you have clear risk escalation procedures and cybersecurity whistleblower protections, like a “watch the watchers” process. User privacy is important, too, as it removes potential bias in investigations.
Get started on your proactive approach to insider threats
Businesses that take a proactive approach to ITM can better defend themselves against insider-led data loss and brand damage. And when they support that approach with Proofpoint Insider Threat Management, they can amplify their ability to detect these threats. They can determine with greater accuracy if users are engaging in risky behavior like data exfiltration, application misuse or espionage.
The right governance structure and policies also help businesses ensure they can balance user privacy and productivity with security.
During Insider Threat Awareness Month, you can learn all about best practices for managing insider threats. Join this webinar to listen to Forrester share their insights and advice. You can also hear the latest insights in our Protecting People Podcast.
Assess your readiness for insider threats by taking our five-minute Insider Threat Risk Assessment.