5 Organizational Elements for Insider Threat Program Success
"Ninety percent of organizations feel vulnerable to insider attacks.”
2018 Insider Threat Report, Cybersecurity Insiders
Working with clients across every industry, we are no stranger to the insider threat conversation. In fact, the topic made our list of top five cybersecurity priorities for 2019. As awareness grows of the risk posed by employees and contractors with access to critical assets, insider threat programs will continue to be a priority discussion. For many organizations developing a formal insider threat program ultimately falls off the priority lists due to resource constraints, competing external threats, or the perception that insider threat is too overwhelming to tackle. What many companies don’t realize is that they likely have most of the components for an insider threat program already in place.
We’ve identified ten components—both organizational and technical—that with minimal effort can transform into tangible and tactical elements that your internal teams can easily accomplish.
Here are the five organizational elements you likely already have in place to put towards combating insider threats:
1. Establish Cross-team Collaboration
Opportunity: An easy step to safeguard your organization is to ensure your defensive processes are being consistently followed and enforced. Identify trigger events such as exfiltration of certain data classification types, sign-off on confidentiality agreements, performance review processes, resignations, layoffs, etc. All stakeholders should be involved in developing the framework and agree to process elements.
Required Resource(s): Threat team collaboration should include representatives from senior leadership, human resources, physical security, cybersecurity, IT, and legal. Also be sure to include your high-priority asset owners.
Gaps: A common pitfall is not having a consistent meeting cadence or worse, only meeting when there’s an incident. This drives a reactive, response-focused culture. Meet on a regular basis to evaluate deficiencies, identify risks across the enterprise, and determine how everyone can contribute to reducing the identified risks.
Beyond the Basics: Once you have engagement across the enterprise, consider formally establishing an insider threat program that has representation from all stakeholders and clear policies and procedures for its actions and workflow.
2. Organize Your Policies and Procedures
Opportunity: Many of the policies you already have in place apply to insider threats. You can quickly assemble an insider threat-focused policy which states all applicable aspects of other policies which can be used to increase employee awareness, reduce incidents of unintentional insider risk, and cover the company in the event of termination or legal action. This policy ensures the proper procedures are in place to help the company stay unbiased and fair when performing insider threat investigations.
Required Resource(s): Policies such as data protection, acceptable use, user access control, and records retention, to name a few, often provide guidance as well as permissions to monitor for insider threats.
Gaps: Reevaluate your applicable policies to ensure they are up to date and current. Technologies are constantly implemented throughout your IT environment and new risks emerge daily. It’s important that your policies and procedures reflect those changes.
Beyond the Basics: After an insider threat policy is created and all other policies are updated, company-wide training should be executed so employees are aware and informed.
3. Review Physical Security Data
Opportunity: It’s a scary reality, but irrational employee activity can be a precursor to physical violence. You can be proactive by centralizing and correlating physical security inputs or outputs and utilize cybersecurity tools to produce alerts on anomalous behaviors, like employees entering the building at unusual times or unauthorized persons trying to badge through a restricted area.
Required Resource(s): Physical security includes badging data, video surveillance, and the ability to alert on and correlate physical data sources, potentially through a security system.
Gaps: Training supervisors and partnering with HR is key. Coach supervisors to identify behavioral indicators, such as irrational behavior or a drastic decline in performance, and opportunities to proactively assist employees. Consider offering an employee assistance program to employees.
Beyond the Basics: Identify organizational changes, past and planned, that might stress employees. Create communication plans to allay concerns over:
- Department and/or structural reporting changes
- Physical office relocation
- Mergers and acquisitions
- Changes in benefits such as health coverage
4. Develop an Employee Separation Process
Opportunity: When employees leave the company, they may be unclear of ownership of work products they created, which likely are retained by the company as its intellectual property. Your company should have a tight communication process regarding employee separations and transfers so that proper procedures can be enacted in a timely manner. Usually the supervisor submits a form to HR regarding a termination, but the information may not flow to the IT, cybersecurity, or physical security teams. Improve coordination across these teams.
Required Resource(s): A clear employee separation process that involves supervisors, HR, physical security, IT, and cybersecurity teams.
Gaps: Employee education is often a gap that can be easily addressed. Clearly define what constitutes intellectual property that belongs to the organization and communicate that to employees. This is a valuable topic to add to your training and awareness program. In addition, employee separation processes often lack detail as to what managers should do and when. Updating your process with clear steps for all departments will close this gap.
Beyond the Basics: Define pre- and post-separation time frames to ensure company access, assets and data are properly terminated, returned, and safeguarded. As soon as a supervisor is aware that an employee is leaving the company, the coordinated process should be activated and include physical security, corporate security, cybersecurity, and IT to protect company assets.
5. Enhance Training and Awareness
Opportunity: Your organization likely has employee security and compliance training modules as part of standard onboarding and annual awareness. Take a fresh look at your policies and training content to improve their effectiveness against insider threats.
- Add insider threat examples of email phishing and password security to your annual security and compliance training.
- Include targeted insider threat-related language in your code of conduct.
- Update and communicate reporting procedures and resources such as an advertised helpline so employees understand how to report suspicious behavior.
Required Resource(s): Standard topics include IT security hygiene, code of conduct, ethics violations, and organizational policies and procedures related to IT security, physical security, and human resources.
Gaps: Make your employees a part of corporate defense by bringing awareness to what they need to protect. Identify insider threat-related topics to add to your security awareness program. Work with stakeholders to build out your priority intelligence requirements and choose topics aligned to threats your organization is most susceptible to such as:
- Data breach / leak
- Introducing malware
- Data breach from compromised system
- Data leakage from lack of awareness
- System malfunction due to malware
- Phishing victim
- Password security
Beyond the Basics: With a clear view of business priorities, critical assets, and cyber defense training opportunities, you can ramp up your training efforts with program additions such as:
- Behavior modification procedures and a rewards-based incentive program aligned to training topics and policies and procedures.
- Comprehensive campaigns for core topics. Consider all internal channels of communication, including intranet, posters, lunch and learns, key meetings, etc.
Check out Part 2 to learn of five technology components your organization likely already has that can be put towards combating insider threats.