Prevention > Protection: How to Build an Insider Threat Program

Security awareness is vital for anyone working in IT and an effective insider threat program should be an integral part of an organization’s cyber defense strategy. Protecting sensitive data from elements inside a business and closing down any breaches quickly is a serious responsibility. That means building a robust program that covers everything from inadvertent data leaks to insider attacks.

What are the three types of insider threats?

Not all insider threats are created equal and in order to combat them, it’s worth understanding the differences. Insider threat training should look at a selection of ways data could be compromised from within, but there are three main types:

• Malicious insiders: Motivated to act by personal gain or inflicting harm on the organization
• Third-party insiders: Informal members of the organization, like contractors or vendors
• Inadvertent insiders: Expose an organization through negligence or carelessness

Why malicious insiders are a huge threat to your enterprise

Many cybersecurity solutions focus on breaches originating outside an organization, but insider threat awareness shouldn’t be overlooked. After all, employees can navigate their way around your network with ease and have the knowledge of what’s valuable in order to steal it. They can also go undetected for long periods of time as they have the credentials to be inside your systems.

The average total cost of an insider-related incident is $11.45 million, according to the 2020 Cost of Insider Threats: Global Report by the Ponemon Institute. As well as costing a vast amount of money, insider threats can lead to breaking standards, laws or regulations associated with the keeping of sensitive data, resulting in fines, jail time and damage to a business’ reputation.

Learn more: You Can't Blindly Trust Your Employees: 6 Ways to Prevent Insider Threats

Should you build an insider threat program?

A proactive insider threat program is a must-have for all businesses that handle sensitive data. The frequency, cost, and time taken to detect and prevent insider attacks keep increasing, while new challenges, such as shifts towards working from home and bring-your-own-device practices, mean visibility over insiders is more obscured than ever before. Establishing a good security culture is key to mitigating the risks.

10 steps to build a successful insider threat program

Tackling insider threats is not straightforward and you need a clear plan to ensure implementing your new program goes as smoothly as possible. Even when you follow each step in turn, you’ll need to tweak them and return to any stages that require more buy-in or increased attention.

1. Preparation is key

In order to make sure your insider threat program is fit for purpose, you’ll want to set some goals. These will help keep your activities focused on outcomes and may include: identifying behaviors that suggest a potential threat, detecting actual threats, discovering inadvertent breaches and improving investigative abilities.

2. Carry out a risk assessment

To improve the security of your data, you first need to know where you’re starting from. That means conducting an insider threat risk assessment to establish the current level of protection you’ve got in place. An in-depth assessment will cover everything from identifying your most valuable assets to studying threat analytics.

3. Estimate the resources needed to create your insider threat program

Building your program will require resources from beyond the cybersecurity and IT departments. Make a list of the staff you expect to be involved, the tools and software that will be needed and the cost implications of the process right from the start. This will help to manage expectations and prevent delays further down the line.

4. Get buy-in from senior stakeholders

Once you’ve gathered together all the information in the first three steps, it’s time to present your business case to senior management. There’s a good chance you’ll know more about insider threats than these stakeholders, so clearly put across the potential outcomes if a program isn’t implemented. Examples are an effective way to illustrate your point.

5. Build an insider threat response team

Establishing an in-house insider threat response team is crucial to ensure any incidents are detected and dealt with as efficiently as possible. It’s a common misconception that everyone on this team should have an IT background, when in fact you want to involve representatives from multiple departments. Put a hierarchy in place and give members the authority and resources to act quickly and with conviction.

Learn more: How to Spot Insider Threats (And Stop Them Before It's Too Late)

6. Determine insider threat detection measures

Threat detection methods should be a combination of human and technological elements. Your organization’s personnel are uniquely positioned to observe concerning behaviors or activities. Put a process in place to allow them to report these easily, so they can be investigated further. A robust insider threat detection system should incorporate AI and analytics to establish a baseline of activity for all users and devices, then assign risk scores.

7. Form incident response strategies

Having strategies in place that can be activated immediately as soon as a threat is detected is key to minimizing damage. Most organizations will need a number of protocols that are nuanced to suit specific situations. Among the events to plan for should be employees giving notice, staff being terminated, active indicators identified and unusual and suspicious activity detected.

8. Plan incident investigation and remediation

This stage should form the crux of your insider threat program, as it’s where you’ll be able to investigate exactly what’s going on. In order for this part of the process to swiftly spring into action and be handled in a professional manner, protocols must be established. All evidence must be collected and properly reported, with a remediation plan put in place once the scope of the incident has been fully understood.

9. Provide insider threat awareness training

Minimizing the risk of insider threats relies on developing a better security culture within your organization and ensuring all personnel are proactive. While the response team will be ready to take control once a threat is brought to their attention, other staff may be better placed to detect it in the first place. All employees should understand the protocols in place and where they fit into the system.

Learn more: How to Create Security Awareness Training for Your Staff

10. Regularly review your program

Like many areas of cybersecurity, the world of insider threats is constantly shifting. This means putting an insider threat program in place can’t be a one-off job, but part of an evolving process. The program should be reviewed at regular intervals, but also if an incident occurs, anyone on the response team leaves or new rules for compliance are put in place.