The insider risk program should never be overlooked. From data to operations to your bottom line, an insider threat can have a near-immediate and significant impact on your business.
According to the latest Data Breach Investigations Report from Verizon, 85% of data breaches involve a human element. That finding underscores the need for organizations—and not just the security team—to think differently about how to implement solutions to keep the organization safe.
Establishing and maintaining a mature insider threat management (ITM) program is a start.
What is an insider threat management program?
An ITM program delivers many business benefits because it is designed to protect against data loss and brand damage associated with insider threat risks. The most effective ITM programs don’t just track data; instead, they correlate data movement with user activity, empowering organizations to identify user risks and detect insider-led data breaches effectively.
Creating an effective ITM program hinges on organizations understanding the three primary insider threat profiles:
- Negligent insider threat — A negligent insider is someone who makes a mistake that unintentionally results in a data loss incident.
- Malicious insider threat — A malicious insider is an employee or third party (for example, a contractor, vendor or partner) who intentionally exposes the organization’s data for financial gain or out of spite.
- Compromised insider threat — A compromised insider is an employee whose login information or other credentials have been compromised and, as a result, they unintentionally grant adversaries access to applications and systems.
While understanding the three insider threat profiles can help organizations identify a specific type of insider threat event more effectively, that knowledge is just part of the puzzle. Organizations must also have the correct processes in place to ensure the ITM program does what it should.
Building a mature insider threat management program
Understanding insider risk means knowing how current processes are set up to detect, investigate and respond to complex insider threats to prevent data loss. To create a mature ITM program, organizations must build out the following four components:
1. Governance and metrics
The foundation of any insider threat program starts with governance, which is largely based around people, program and policy. Many organizations likely have existing governance policies, but they should review and revise them regularly to ensure the ITM program can evolve effectively to meet the challenge of new and emerging threats.
The goal for any mature insider threat management program is continuous improvement—but you can’t improve something you can’t measure. So, to build and maintain a mature and effective ITM program, organizations need to identify the metrics that matter most for compliance and periodic assessments.
2. Detection and monitoring
In today’s world of multichannel engagement, it’s critical for an ITM program to track and monitor sensitive data and behavior across the network, email, endpoints, cloud, web and removable media channels. This is important for two reasons:
First, organizations need to effectively monitor the channels that employees use to do their work. This is important because, as noted earlier, research shows that most data breaches typically result from human involvement. That is why building a security culture at your company matters.
- Second, the longer an incident lingers, the costlier it becomes. According to research from Ponemon Institute, the average incident takes 77 days to contain, and incidents that exceed 90 days to contain cost organizations an average of $13.71 million annually.
Rapid detection mechanisms with real-time alerts on data and user activity can help in this area.
3. Investigation and response
Organizations with a mature ITM program recognize the importance of incident response. Though it’s crucial for organizations to identify the who, what, when, why and where of incidents, it’s perhaps just as important to do all of those things quickly.
Consolidating all this context into a user timeline accelerates investigations. And the speed of the insider threat investigation can have significant implications on how much harm attackers can do.
4. Privacy and compliance
A mature ITM program must also take into consideration unique industry compliance regulations, as well as cultural differences across geographies. This also alludes to the importance of an organization’s security training program and organizational processes, such as clear risk escalation procedures and cybersecurity whistleblower protections that allow the team to “watch the watchers.”
Establish and maintain a mature insider threat management program
With a mature ITM program in place, such as the Proofpoint Insider Threat Management solution, organizations can more effectively detect insider threats across all three insider threat profiles, and more accurately determine if users are engaging in risky behavior (like data exfiltration or application misuse). This, combined with creating and implementing the right governance structure and policies, ensures organizations can balance user privacy with organizational security.
Unsure of the maturity of your ITM program? Take our five-minute Insider Risk Assessment to check your insider risk readiness.
Subscribe to the Proofpoint Blog