We have a lot of programmes in information security. We have programmes for operational security, like SecOps and incident response, programmes to measure and understand risk, such as risk management and vendor risk management, and programmes to manage programmes, like road maps and future project management.
Another programme, with several unique facets, is insider threat management (ITM). For one, the success of an ITM programme is completely dependent upon involving stakeholders beyond IT and information security. Since anyone in your organisation could become a source of insider challenges, you need representation from all parts of your organisation. Also, you need to communicate and understand how your own organisation works, how to define organisational success, and what risks or barriers could undermine your programme’s success.
Proofpoint has a guide to setting up an ITM programme that’s a helpful starting point for establishing and building your own programme. However, the benefits of having an ITM programme can be hard to discern. With that in mind, here’s a closer look at three distinct benefits of an ITM programme:
Benefit #1: Building a defensible security programme
We all know there’s no such thing as perfect security or perfect protection. However, that’s no excuse to ignore the insider threat problem.
Insider threats are challenging—and managing them involves gaining an understanding of people’s intentions. This can be messy and complicated, and the decision to “allow” or “block” isn’t always binary.
Insider threats touch so many areas of IT and compliance that if nothing is done to address them, or done properly, it creates an obvious gap to your defensibility argument.
The first step of defensibility is to run your ITM programme as a separate programme, not just another activity your security operations centre (SOC) function supports. You must also build effective communication channels with different areas of your organisation as well as with the human resources, legal and privacy functions.
To build trust and defensibility, you must also establish a solid understanding of your ITM programme’s scope, what you can and can’t do, the use cases you can solve for, and the threats you can detect and mitigate.
Benefit #2: Improve your overall approach to incident response
Most security programmes are rooted in the principles of your security incident response programme—either NIST 800-61 or ISO/IEC 27035. However, since insider threats involve people, and understanding a person’s motivation is vital to understanding insider threats, we need to determine if a user is careless, compromised or truly malicious in their intentions.
From the “2022 Ponemon Cost of Insider Threats Global Report”, we know that 56% of all insider threat incidents are rooted in carelessness, negligence or accidental behaviours. So, from a volume perspective, most cases you’ll likely need to handle will be “good users making bad decisions with good applications and data”. However, as Ponemon’s research also shows, in 44% of cases, that won’t be the situation.
On a per-incident cost basis, the most expensive incidents will be those involving compromised accounts and credentials. That means you can’t count on an ITM programme that only detects the problem and doesn’t interoperate with other capabilities to respond or recover from threats.
Understanding user intent and context, and not focusing only on the data-centric problem, is harder to do (IT and infosec teams must have an open dialogue with app and data owners) but more worthwhile to right-size security and reduce the time to contain insider threat incidents.
Benefit #3: Contribute to a stronger security culture
As previously mentioned, research shows that more than half of insider threat incidents are due to carelessness and accidental usage scenarios. Building a sustainable security culture that drives behaviour change is therefore critical to remediating these incidents and evolving your ITM programme to focus on more complex insider threat scenarios.
There’s also a distinct difference between monitoring and surveillance:
- Monitoring collects data and is considered asset-focused (endpoints, mobile devices, apps, etc.).
- Surveillance aims to provide a holistic picture of a specific person through their behaviours, identities and other people-centric activities.
Surveillance sounds daunting, and you can’t simply throw products at the issue. Instead, you need to start with a well-thought-out programme and have good technologies to support it.
Users and organisations, and even works councils, are willing to accept monitoring and surveillance activities given that they understand “why” and agree with the “use case” constraints for monitoring and surveillance activities. This is also why it’s critical to integrate your security awareness training with your ITM programme—especially for dealing with the high volume of careless events.
During Insider Threat Awareness Month, you can find out more about best practices for managing insider threats in a Proofpoint webinar featuring Forrester. Also, be sure to check out our upcoming fireside chat with Pfizer on approaches to ITM.
If you’re looking for information about where to start, Proofpoint can help with that, too. Check out the free resources in our insider threat management hub.