Welcome to the final installment of our three-part series on insider threat management (ITM). Our last blog covered what it takes to jump-start an insider threat management program. Now, in this post, we dive a little deeper.
Insider threats are a growing, people-centric problem. Last year, these threats cost organizations $11.45 million—an increase of 31% in just two years. Insider incidents can be challenging to detect because they can involve employees, contractors or partners who start from a position of trust. Not to mention, three-quarters of these types of incidents happen by accident.
As a result, any insider threat management program will include a mix of legal considerations, along with policies and procedures. Here are four essential building blocks that fall under these two categories:
1. Investigation and threat mitigation
An important aspect of any insider threat management program is the ability to mitigate insider risk proactively. All too often, organizations react to alerts based on incidents that have already taken place. Because it can be difficult to trace the root cause of an incident, insider investigations can sometimes drag on for weeks, months or even longer.
The longer an investigation takes, the costlier the incident becomes. Since insider threats involve personnel, human resources (HR), legal and line-of-business managers are key stakeholders in these investigations, in addition to IT.
Mitigating insider risk proactively means having visibility into both user and data activity. Many legacy security tools only focus on the data portion of the problem. In reality, people move data. Clear evidence of who did what, when, where and why can help speed up investigations. If an incident results from a user error, this evidence can equally exonerate innocent people just trying to get their job done.
2. Governance and policy
A solid insider threat management program starts with a clearly defined policy. It’s essential to ensure this policy can be understood easily by anyone in the organization—including external contractors or partners who interact with sensitive data. Regular security awareness training can help reinforce this policy with users (but we’ll talk more about that later).
Another layer of governance is an internal plan that determines the incident chain of command. These policies and procedures should unify the information security aspects of an insider breach with the organization’s personnel obligations. Also, they should take into account user privacy and compliance wherever possible.
3. Background checks
Background checks have been a standard operating procedure for many organizations in the employee onboarding process. A comprehensive check from a reputable provider can uncover many of the potential precursors to an insider threat. These checks can also help HR teams make informed hiring decisions in accordance with legal protocols.
However, background checks are limited in scope. They’re often a one-and-done endeavor. In reality, periodic check-ins based on employees’ behavior and sentiment can be more accurate in determining well-being. Things like financial stress, job dissatisfaction and more can be potential insider threat indicators.
4. Awareness and training
Your people are the first line of defense against insider risk. While certain types of basic security awareness and training information apply to all insiders (employees, partners and contractors), you should strive to tailor your training. For example, privileged users should get a different level of training than the average employee based on their access level alone.
The goal of training should be taking your users beyond mere awareness of security policies and issues to truly educating them. Users should receive instruction on the why and how of assessing the risk and security implications of various situations. Also, the security team should verify that insiders know how to apply security best practices as they perform their daily job duties.
Build your insider threat management program today
Insider threats are a complex problem that most cybersecurity tools just weren’t designed to address. So, it’s easy to see why insider threat management platforms are one of the fastest-growing categories of cybersecurity.
To learn more about how to build an insider threat program, watch our latest webinar “Cyberthreat Game Changer: A New Look at Insider Threats”.
Subscribe to the Proofpoint Blog