Welcome to our three-part series focused insider threat management. It will help you better understand your organization’s insider risk exposure. You’ll also learn how to build the basics of an insider threat management program.
First, what is an insider threat? An insider threat occurs when someone with authorized access to critical information or systems misuses that access - either purposefully or accidentally. And they don’t just come from employees—they may also originate with former employees, contract workers, supply chain partners or service providers. They may involve sabotage, fraud, data theft or even unintentional or accidental harm. Not to mention, the huge increase in remote work in 2020 as people work-from-anywhere - and has made people the new security perimeter.
In our first post of the series, we’ll focus on four important questions to ask to assess your insider threat risk maturity.
1. Is your governance program set up for insider threat risks?
A solid governance program that encompasses people, processes and technology must be created at the outset of an insider threat management plan. The program must include detection and response methods specific to insider threats. In addition, it should take into consideration privacy and compliance.
Start by forming an insider threat working group. Is the insider threat working group reviewing technical- and process-related insider threat risk metrics on a regular basis? It should be. And teams should be tasked with identifying and measuring new areas of risk over time. Finally, conduct annual assessments both internally and with external auditors.
2. Are you set up to monitor not only data, but people?
The longer an insider incident remains unresolved, the more it will cost. According to The Ponemon Institute, incidents that take 77 days or longer to resolve cost organizations millions per year. To mature an insider threat program, your organization should monitor user activity in addition to data movement.
Teams should get real-time alerts on both data and user activity—including employees, contractors, suppliers and partners. Check for systems access, compliance incidents, criminal behavior, and other threats. It’s only possible to respond to threats the organization knows about, so detection is a very important aspect of any insider threat management program.
3. Is your team prepared to respond to insider incidents?
Mature organizations understand that incident response is critically important. Since insider incidents are so people-focused, they must involve stakeholders from across the organization. It’s a team sport that potentially involves legal, HR, compliance, communications, and business unit leaders.
That’s why sophisticated insider threat programs have a formal incident response plan in place. At minimum, this should include training of security and IT personnel, user activity monitoring, cross-team collaboration, and communication of potential security incidents across the organization.
4. Are you protecting user and data privacy?
Are you following best practices to ensure user and data privacy, while protecting the organization’s interests? Exact regulatory requirements will vary for each business. However, any insider threat program should include a plan to meet and maintain compliance.
Depending on the requirements, insider incident investigations will also vary. First, it’s important to understand whether out-of-policy activity is malicious or accidental in nature. It’s possible to do this while still preserving anonymity for the user. Then, if an incident is escalated, you can take swift, evidence-based action.
Key Takeaways
Understanding insider risk means knowing how current processes are set up to detect, investigate and respond to complex insider threats and prevent data loss. Since so many insider incidents happen because of user error, it’s hard for some organizations to assess their risk. However, once you have a better sense of the problem, it’s easier to know how to jump-start your insider threat management program. That’s what we’ll cover in the next blog in our series.
In the meantime, take our Insider Threat Risk Assessment to find out if your organization is protected. Walk away with an in-depth plan to improve your insider threat maturity.
Subscribe to the Proofpoint Blog