Managing insider threats in cybersecurity is critical to managing overall cyber risk. However, the insider threat topic gets less frequent publicity/news cycle time because many incidents go unreported. They are often handled quietly unless an arrest or publicity-instigating factor drives an organization to report such an incident. Laws are catching up on reporting cyber incidents at large, but it is more common to see news headlines about companies that have suffered a breach of personal or financial information of customers or employees.
The impact is that many cybersecurity programs have not placed the right level of focus on integrating insider threat controls into their priorities unless they’ve had a major incident that drives more intentional focus on the insider.
I’ve had the chance to experience insider threat incidents and the program impact/aftermath at both corporations I’ve worked at and with clients we’ve supported. Many organizations assume that it will never happen to them, but I’ve seen some of the same risks occur at 10-person companies and companies with tens of thousands of employees. It is always significantly more disruptive and astronomically more expensive to react after a major incident than proactively embedding insider threat risks into the focus of your program.
Here are some key areas of focus to consider as your build or enhance your Information Security Insider Threat Program.
- Ensure Cross-Functional Engagement and Sponsorship – insider threat programs require cross-functional engagement (typically HR, legal, IT, and security). Ensuring that your program has roles and responsibilities defined along with a clear senior leader sponsor for the program is critical for success.
- Know Your Assets – Even as a top control within CSC (Critical Security Controls) and NIST CSF, many organizations haven’t spent the time to identify and prioritize information assets – which could be in the form of IT systems, data/file repositories, third parties. Assets should be prioritized by criticality. Note that it is a common mistake to believe that BCP/DR system criticality is sufficient, as BCP criticality typically only captures availability risks and leaves information sensitivity out of the picture.
- Understand Your Personas – Any individual could intentionally or unintentionally cause an incident, but there are specific departments and role types that have a heightened impact if compromised. Defining high-risk personas can help identify where to spend some extra time (awareness, training, security-focused business process improvements)
- Equip and Empower the Workforce – The insider threat topic can be difficult to talk about within employee awareness programs, because no one likes to think about someone inside the company doing something malicious. However, equipping the workforce to know how to securely handle information, keep access limited to those that have a business need, and how to report potential insider threat concerns is critical.
- Define Clear Policies – Policies are critical because they directly impact your ability to set expectations for the workforce and also enforce accountability if an incident does occur. While they need to be (legally) enforceable, balance the typical tension between complicated legal terminology that may not be easy to read and comprehend with clarity and usability.
- Assess Threats and Control Gaps– There are a variety of threat modeling and risk assessment activities that can help you better define how to prioritize your focus. MITRE, CISA, and CERT all have put out some useful frameworks. A useful exercise within your program is to evaluate ways that information/data can be taken/stolen from your company.
- Ensure Architecture and Tool Coverage – Various tools and technology can support your insider threat focus, and some require more people and process definition than others to be effective. SIEM (Security Information & Event Management) rules focused on the application layer can be effective if you have a good handle on critical applications and where your most sensitive information sits in the organization. UEBA (User and Entity Behavior Analytics) to detect behavioral anomalies can help flag potential concerns based upon variations from a baselined “normal.” DLP (Data Loss Prevention) technology can help to flag potential data exfiltration. Lastly, Privileged Access Management platforms and focus are critical to proactively reducing risk in some of your highest-risk users with elevated privileges to critical systems and network components. Regardless of where you are starting technology-wise, spend time mapping technical controls to necessary capabilities to make sure you attain rationalized coverage.
- Plan and Practice – Ensure that your Information Security Incident Response Plan includes insider threat scenario handling tactics. Including an insider threat scenario into a tabletop can help the organization better prepare and ensure it can be effectively managed when it happens.