Insider Threat Management

Insider Threat Mitigation: 5 Best Practices to Reduce Risk

Share with your network!

(Updated 01/28/2021)

The term “insider threat” often invokes images of sinister, hooded, malicious employees lurking in the shadows. (Think Mr. Hyde, of Dr. Jekyll and Mr. Hyde.) The insider’s goal: to steal company trade secrets, or more frighteningly, cause chaos by bringing down your organization from the inside.

The reality for most organizations isn’t quite so cinematic. The so-called “evil insider” is an infrequent situation, with instances of malicious threats likely to occur once in a blue moon. An unintentional insider threat, on the other hand, is far more likely.

In fact, in a 2020 Ponemon study on the Cost of Insider Threats, it was reported that the number of insider-caused cybersecurity incidents increased by a whopping 47% since 2018. So why are so many organizations focused on mitigating “malicious,” rather than unintentional insider threats?

When the cybersecurity risk to your organization’s vital systems and data comes from the insider, it can be daunting to find ways to mitigate it. The last thing that anyone wants to do is add more layers to an already management-heavy security setup, increasing the burden on both your own team and your users.

Thankfully, with the right attitude, approach, and insider threat management tools, this doesn’t have to be the case.

In this post, we’ll share best practices for insider threat mitigation to help your organization reduce risk and overcome any challenges you might face along the way.

1. Understand Your Users (the Insider Threat)

As we mentioned earlier, the average user doesn’t plan to steal, or misuse data or systems access. The truth is, they want to take the path of least resistance. If there is an avenue that helps them perform their duties quickly and painlessly, you should assume that they will take that approach. (Yes, regardless of whether or not it is secure.)

Understanding the intent of insider threats is important, because it allows you to get ahead of risky behavior, and problem solve. How can you safeguard organizational assets, systems, and data, without having to worry as much about the insider threat?

2. Communicate Policy Well, and Often

The first step to mitigating the risk of unintentional insider threats involves communication. If you know your cybersecurity policies are written in Morse Code (which admittedly, sounds cool), it is likely that the average person won’t understand how to follow it, let alone the purpose of it. Talk with your users, and see if they are experiencing performance bottlenecks using your current data loss prevention tools or policies. Then, see if there is a way to take a more “hands-off” approach to safeguard systems or data from exfiltration.

3. Detect Behavioral Trends (and Investigate “Risky Behavior”)

Another way to understand if your unintentional insider threat tools and policies are working involves studying behavioral trends. For example, how people are engaging with data and systems on a daily basis.You should be able to audit all actions taken by employees and vendors, getting visibility into who is doing what, when and why. This user session recording would need to include visual recordings or playback capability of interactions, rich metadata providing full context into a user’s session, and easy-to-understand alerts and activity breakdowns for quick analysis.

4. Look at Each User Action as a “Coaching Moment”

Once a “risky” or out-of-policy behavior is discovered, note the contextual intent. If it appears that the incident was an unintentional insider threat, don’t immediately flex your punitive muscles. While punitive measures are important for repeated risky behavior or malicious intent, it is much more helpful to consider an unintentional insider threat incident to be a coaching moment.

Consider: if the incident was caused by a misunderstanding of policy, overzealous (or confusing policy), or simply not paying attention. Then, share an example-based rationale for why this policy is in place to solidify its importance.

5. Consistently Respond to Incidents

In the event that an unfortunate unintentional insider threat incident occurs, it is crucial that you can quickly and consistently respond—particularly alongside your HR team.The last thing you want is for your users (and potential insider threats) to feel as though they are being monitored and micro-managed. By setting expectations upfront, and consistently communicating with them, you can establish a more positive atmosphere in which cybersecurity is seen as an asset and not a burden.

Final Thoughts

The important thing to take away from all of this is that the average unintentional insider threat is exactly as it claims: unintentional.

If you can build an Insider Threat Program that humanizes your organization’s cybersecurity policy and protects an individual’s privacy and ability to do their work without interference, you decrease the risk and frequency of unintentional insider threat incidents. (And with that, we all win.)

Subscribe to the Proofpoint Blog