Insider Threat Management

Why "Consistency" is the Name of the Game in Incident Response

Share with your network!


Did you play a team sport when you were a kid? I sure didn’t, but if there is one thing that I’ve learned from watching “Angels in the Outfield” and “Rookie of the Year,” it’s that consistency is everything.

This is also the case for handling insider threat incidents.

You need to be able to consistently identify a potential incident, investigate it, and take steps to prevent a recurrence. Without a standardized order of operations, the process may get bogged down, or critical details might get missed.

In other words, if you can’t be consistent with your insider threat incident response methods, you might get benched. (And we don’t want that!) So why is consistency the name of the game?

Defining Incident Response

At its core, incident response refers to a standardized approach to managing the aftermath of an insider threat incident. It is intended to provide a framework for mitigating risk of extensive damage and cost.

Not having a standard way of responding to an incident is like not knowing that when some part of you catches fire, you should Stop, Drop, and Roll. You need a plan for how you will react in a potential crisis, to help guide you down the best possible path without extra thought.

For example, in the context of baseball, if it’s the middle of the 5th inning and your starting pitcher is starting to throw buck wild, you know it’s time to pull him for a reliever based on your game plan. Staying the course, or giving the situation some thought will just lead to more baserunners, or worse – runs batted in.

While you’d clearly prefer that your starting pitcher could last a bit longer, it’s OK to have a contingency plan. It’s just one part of the greater overall Insider Threat Management plan, and it (pun intended) covers your bases, allowing you to quickly and confidently take action without worry.

How to Consistently Respond to Insider Threat Incidents

“I became a good pitcher when I stopped trying to make them miss the ball and started trying to make them hit it.”
– Sandy Koufax

  1. Recognize the scenario

    What are some of the common ways that your organization’s insiders may misuse their access to systems and data, either intentionally or unintentionally?

    If you can list out the potential scenarios, their potential cost and impact, and how you can best respond to resolve the issue, you’re setting yourself up for success when a crisis strikes.

  2. Know what you need to succeed

    There is a certain amount of data-based evidence that you’ll need to not only gain insight into insider activity, but also their intent. Map out what key indicators you might use to identify the situation as an insider threat incident or if the user’s activity is trending that direction.

  3. Talk with the right people

    Once you’ve been able to identify an insider threat incident, you’ll need to know who needs to be a part of the conversation. In a lot of organizations, this is where you loop in HR or Legal for help.

  4. Deliver appropriate evidence

    When you reach out to HR, Legal, or whomever else is a stakeholder in an insider threat incident scenario, you need to have the right data to back up your claim. By using the right tools, you can deliver the evidence that you need, in a format that is easily understandable for pretty much anyone.

  5. Take steps to prevent related insider threat incidents

    After the incident has passed (or sometimes even during) you will want to deploy a strategy for preventing a repeat offense. What can you do to proactively coach, educate, and notify your insiders of potential cybersecurity policy breaches, before a problem becomes a nightmare?


How are you maintaining insider threat incident response consistency at your organization? We’d love to hear from you! You can tweet @Proofpoint or reach out to us on Linkedin.