Insider Threat Management

An Insider Threat Investigation Checklist for HR

Share with your network!

This post has been updated since it's original publication of May 25, 2016.

Here’s a scenario: you’ve been keeping an eye on a particular employee or 3rd-party vendor after discovering a trend of risky or (seemingly) irresponsible digital activity, and you’ve determined that they are an insider threat to your organisation.

Now what?

You don’t want to wait for an insider threat incident to occur or grow worse. The time for action is now! The problem is that you can’t clearly identify the intent of the privileged user, and you know that taking the wrong stance or action against them could cause a major human resources (HR) snafu – or worse.

Don’t worry, we’ve got you covered. In this post, you’ll learn how to work with your HR team to manage an insider threat investigation and build a handy checklist to boot.

We’ll show you:

  1. How to utilise an Insider Threat Rating System to determine the best course of action
  2. How to prepare for an insider threat discussion with an employee or 3rd-party vendor
  3. How to team up with HR before and after an insider threat interview or incident


1. Have an Insider Threat Rating System in Place

If you’re utilising an insider threat management solution like Proofpoint ITM, you know that you can quickly identify privileged users who are behaving riskily or breaking organisational security policy. But once you do, do you have a hierarchy or rating system in place to help you prioritise and escalate a response?

When your team receives an out-of-policy notification or insider threat tip, you should be ready to triage and respond within 10 minutes.

Your Insider Threat Rating System can be as simple as follows:

  • Green
    Indicates low-risk potential, with no further investigation needed.
  • Yellow
    Indicates medium-risk or uncertain potential, with immediate initial investigation required.
  • Red
    Indicates a sure risk, needing immediate investigation and action to prevent greater insider threat exposure or spread.It is acceptable for your system to differ from the one mentioned above, but the simpler it is while containing all of the information you need, the better.

The response team can then react based on clear communication guidelines:

  • Green
    Maintain an internal log, noting the incident for future reference.
  • Yellow
    Notify HR, IT, Legal, and Executives based on escalation criteria (possibly the Government, depending on your compliance guidelines)
  • Red
    Notify HR, IT, Legal, Executives, Government (if needed), and the Authorities for immediate response.

Note: If your insider threat management tools can’t deliver the evidence that you need for your digital investigation in a quick and timely fashion (we’re talking minutes), then it may be it may be time for a new solution.

2. Working with HR to Respond Appropriately

In the event that the insider threat is in the yellow or red status, you should refer to your organisation’s Insider Threat Management Policy to determine the best method for communicating with the privileged user indicated as directly involved with the threat.

It is general best-practice to reach out to your internal human resources team in the event that the threat is in one of these statuses.

Work with HR to determine:

  1. What language is included in the organisation’s Employee (or Vendor) Agreement regarding theft of proprietary information, security infringements, or risky behaviour?
  2. What type of training has been previously provided for the privileged user?
    (What should they know, and can you verify that they completed the training?)
  3. Have consequences for breaking policy been previously communicated, and acknowledged?
    (How, and how often are also great to know.)
  4. Whether you have valid proof to back up the accusation, and identify intent or behavioural changes
    (Verbal testimony, Proofpoint video replay, and action timeline) 
  5. If the privileged user is still employed or contracted for the organisation

As you can imagine, there are a great deal of insider threat related scenarios to prepare for.

The best thing that you can do is to: try and understand the intent of privileged users, deploy the right tools and policies for protecting proprietary systems and data (as well as reconstructing insider threat incidents when they occur), and be willing and capable of adapting to changing security needs and requirements.

3. Performing an In-Depth Digital Investigation

It’s also crucial to make sure that you have the hard evidence that you need to determine whether an insider threat suspect is, in fact, guilty of breaking policy.

What to remember when gathering evidence for your digital investigation:

  1. Use your tools and conversations to do your homework and investigate quickly
  2. Ensure that you have valid accusation and proof (verbal testimony, step-by-step video replay/coverage
  3. Include any documented behavioural changes
  4. Note any complaints by employees, as well as changes in employee status
  5. Share these details with HR

From a logistical standpoint, be sure to refer to your organisational policies to see who should be involved in the conversation and when. (Typically, HR is involved at some point in the process.) Then, consider how to prepare, and what you should do in the unfortunate event the conversation goes sour.