In the realm of enterprise cybersecurity, it’s no secret that data breaches and cyber attacks have damaging effects. Despite the growing sophistication and prevalence of enterprise cyber crimes, the most concerning aspect of these incidents remain their source. A recent IBM study posited that today’s most damaging security threats were not the work of malicious outsiders or malware but that of trusted insiders, who were implicated in a shocking 60 percent of cyber attacks.
Despite this startling revelation, recent assessments on Insider Threat Programs have drawn correlations to a concerning trend related to the way that organizations address the threat of insiders in their cybersecurity architecture. Industry snapshots benchmarking organizations’ abilities to monitor, detect, mitigate and respond to insider threats reveal that a mere seven percent of companies rate themselves as having an optimized set of insider threat protections in place.
The question then is, why, despite the mounting evidence supporting the risk that insider threats pose, do organizations continue to keep insufficient protections in place? The answer to that question lies in the complexity and resources required to design and implement an Insider Threat Protection (ITP) program that casts a net of protection across the entire organization and its assets.
The development of a sufficient Insider Threat Protection program does not start nor end with employment of a technology solution. Rather, the process is equally if not more dependent on shifts in corporate culture, corporate communications, human resource processes and a daily concern that any employee – even those you believe are trustworthy – can, at any moment, become a threat. Before you even begin to build an insider threat protection program, it’s important to understand exactly what you’re up against – in the interest of being able to overcome each obstacle.
Obtain Executive Buy-In
This is paramount. Buy-in from executives will provide your organization with the leverage required to work across the enterprise, secure budgeting and establish a strong foundation to your company’s ITP program. In your efforts to establish an effective ITP program, begin with soliciting the support of the C-Suite and other key departments to ensure adequate funding to put the right tools in place, form sufficient teams, craft effective processes and enforce necessary policies. Discuss the program in terms of the individual stakeholder, telling them how their concerns are addressed and covering how it directly benefits their part of the organization. Expect speedbumps to establishing an effective ITP program if this does not come first.
Engage Your Legal Team
Consult with legal counsel early and frequently in your plans to ensure the ITP program can be leveraged appropriately. Your legal counsel should advise on any laws and regulations for your jurisdiction, inform about privacy issues surrounding the mechanisms of your ITP program and help devise plans should action need to be taken against an employee either administratively or legally. Addressing the concern and legality of employee activity may be necessary before moving ahead in your strategy. Ensure with your legal team that all consequences are clearly defined and that policies are strictly enforceable and in line with organizational culture, as well as privacy concerns.
Define Response Processes
Next in the process comes defining and clearly outlining the process for how to respond to an insider threat situation. This includes whom within the organization will be notified, and who will own components of any investigation and remediation.
Assembling an Insider Threat Program team is a critical component of this step, which will help to align the interests of all facets of the organization – IT, HR, Legal, Security and the C-Suite. Assign a Senior Officer to lead the team and focus your efforts on establishing where risk exists in the organization, how to monitor for it and formalize a response when discovered.
Create an Inventory of Critical Data
This is the primary object of the Insider Threat Program goal. It is crucial to keep tabs on where your company’s critical, sensitive, protected and valuable data is located, and which employees have access to it. After taking an inventory count, you may work with your security team to ensure accurate monitoring of users with access to important company assets.
Establish a Holistic View of Internal Threats
View internal threats holistically as you would external threats. Include not just employees but also contractors and vendors with access to the network. Enforce data protection on all teams - not just sales or engineering - to avoid gaps in protection. Senior officials who often have more access to sensitive data than they truly need are also targets of accidental (and malicious) breaches that shouldn’t be ignored.
Identify Existing Technologies
Identify and account for existing technologies within your organization during the formulation of your ITP program. Systems used by HR and IT may augment your ITP program. Any criminal investigation will corroborate evidence so knowing what other resources can supplement the ITP program will only serve to make it more robust.
Establish Clear Acceptable Use Policies
Work with your Insider Threat Program team to establish clear acceptable use policies for how employees can use corporate devices, networks and other resources, as well as formulate policies surrounding BYOD devices. Fundamental security practices should be part of any security strategy to help protect the data that employees are given access to. This may mean limiting what personal activities are allowed on those resources.
Assist HR
Identify the means to assist HR in the employee screening process. Utilization of processes, people and any other organizational resources at your disposal should be employed to maximize insider threat prevention efforts. Bolstering HR’s screening process will give your company an extra layer of oversight and may prevent a potential threat from being onboarded. Follow-up screening of active employees against public data – such as arrest records and bankruptcy filings – can help identify potential issues that often lead to higher risks at work.
Invest in the Correct Tools
The budget for an organization's Insider Threat Program will be largely dependent on its size and needs; however, more successful programs do tend to allocate more funds towards protection. Much of your budget will likely go to tools – so make your decision a wise one. Invest in the correct tools to identify, prevent and mitigate insider threats and focus on incorporating technologies that give visibility into the endpoints, the network, user access and critical data of your organization. Moreover, the solutions you choose should provide you with visibility into user behavior – as, behavior is a main determinant in whether an action is seen as malicious or beneficial to the organization.
Formalize Communications
Remember that formalized communications are a product of a formal team and set of processes in place. Establish the communications necessary to support your program and make it all about protecting the data. Include ITP program communication as part of the onboarding and annual training processes to generate awareness and set expectations. Openness and transparency with employees will help avoid issues by setting expectations, enlisting employees to be mindful protectors of critical data and deterring malicious breaches.
Take on the Task
Building your defense against insider threats should begin with the strong foundation of fostering communication and support across the enterprise. By facilitating an open line of communication, as well as formal processes and policies of your insider threat prevention efforts, members of your organization will understand the purpose of your strategy and their roles.
Once this foundation is established, the upkeep of your ITP program will be dependent on consistent efforts by the Insider Threat Program team to demonstrate value to the C-Suite and other key departments, respond to employee concerns and maintain open communications regarding company policies and expectations.
A carefully constructed, nuanced insider threat prevention program will provide increased visibility into shifting risks and changes in business operations, and help make sure your company’s most valuable data and intellectual assets are protected from its greatest threat – within.
About the Author:
Patrick Knight is the Senior Director of Cyber Strategy and Product Management at Veriato, an innovator in actionable user behavior analytics and a global leader in insider threat protection, where he helps organizations protect critical data from threats by trusted insiders. For over 17 years, his cybersecurity career has helped enterprises protect against online threats through the development of anti-malware, network intrusion detection, computer and network forensics and encryption technologies. He is a writer and speaker on topics of cybersecurity and privacy in multiple forums including NITSIG and Virus Bulletin. He is a 12-year veteran of the U.S. Intelligence Community and the United States Army in the fields of Signals Intelligence and Cryptanalysis and a Russian and Serbo-Croatian Linguist. He can be reached on Twitter at @PatrickKnight70 and on LinkedIn at linkedin.com/in/PatrickKnight70.
