Oct 29 2020

How to Build an Insider Threat Program

A well-planned program can help prevent incidents.

Insider threats are one of the biggest security challenges that organizations face, and once an incident happens, recovery can be costly for businesses. A recent Ponemon Institute report found that spending on insider threats has increased by 60 percent over the past three years, and by 25 percent since 2018.

Considering the amount of cleanup needed — insider-related incidents that take more than 90 days to clean up can cost significantly more — having only a response strategy may not be the right approach.

Building a program to combat insider security threats is increasingly seen as a smart move for large organizations looking to mitigate their risk. It’s important to understand the threats at play, and taking steps to do something about them ahead of time can save organizations time and money.

The Purpose of an Insider Threat Program

With the technology and human interactions involved, insider threats must be managed differently than external ones.

Pam Nigro, the board director of the IT governance trade group ISACA, says that an insider threat program is necessary because those inside of an organization may have a close-up view of that organization’s inner workings.

“I think the primary reason is really the amount of exposure that somebody from the inside can have,” Nigro says. “Somebody from the outside is working their way in and trying to figure out and navigate paths. Somebody who is already on the inside may already have access.”

Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, adds that there are multiple aspects to preventing an insider threat from emerging, and together they can build a preventative strategy.

“I think both the technology as well as understanding how people and processes can play their roles in reducing insider threats have come a long way in the last couple of years,” he says, “It’s frankly not a moment too soon, particularly in light of everything else that’s going on in 2020.”

Nigro, who is also a security officer and vice president of information technology at Home Access Health, emphasizes that the remote nature of work changes the imperative.

“It’s really good to start having these programs to help everybody recognize the signs,” she says, “and even sometimes for the people who are not intentional perpetrators to start recognizing their own warning signs, and maybe ask for help as opposed to doing some other kinds of behaviors.”

MORE FROM BIZTECH: Learn what to look for to know if your organization has an insider threat problem.

Insider Threat Awareness: Risk Assessments

Understanding the need for an insider threat program requires understanding the types of risks an organization may face, whether those risks are due to negligence or active attacks. Human resources may also play a role in insider threat assessments. The Intelligence and National Security Alliance recently released a white paper on the role that HR departments can play in uncovering potential threats ahead of time.

“The challenge in mitigating the insider threat is to devise an early warning strategy to better align organizational resources with the struggling or at-risk employee so that appropriate support or mitigation actions may be taken proactively to reduce or eliminate the risk,” the report notes.

From an IT perspective, Nigro says, it’s worth analyzing security access organizationally to help reveal potential problems.

“It really starts to take a look at the security levels and the access levels that different individuals have,” she says. “Who has privileged information? Who has what level of access for privileged information users? Are we reviewing their background checks every year? Are we doing some due diligence from performance reviews or performance expectations around them?”

Kalember adds that, when trying to assess insider threats, it’s important to have an understanding of what’s happening on the ground. Often, the biggest threats may not even be intentional.

“If, for example, you see somebody who appears to be taking a sensitive file that might contain your customer information and putting it on a USB stick, maybe you want to prompt them with a little bit of awareness training and actually teach them the right way to do things rather than ring a bunch of alarm bells and come down hard from a security standpoint,” he said.

    How to Build an Insider Threat Program

    The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency offers a five-step plan for building a comprehensive insider threat program:

    • Designate a senior manager to lead the program. CISA notes that this leader should help provide broader insight, advocate for resources and represent the program in a leadership role.
    • Form a cross-discipline working group. This program should include individuals focused on human resources, physical security, information security and technology, data, business continuity, and legal counsel. The group should help to develop the program and identify data sources to help manage the program.
    • Create documents to set governance and policy. These documents, while not hindering whistleblowing protections, should be endorsed by legal counsel and followed throughout the organization.
    • Create a formal training and awareness program. This program should be included in the onboarding and departure process and emphasized with annual refreshers. Additionally, the program should be tailored to each role and seniority level.
    • Open an insider threat program office. This office, which would be subject to legal and ethical oversight, would emphasize the collection and analysis of data from employees, with a defined process for managing potential insider threats — including the assistance of investigative authorities.

    Nigro adds that insider threat programs may also come in tandem with a data loss prevention program. She says that, whatever model an organization chooses, it must ensure that training and awareness are a key part of the program — especially at a time when people are working remotely and access options are more fluid.

    “Be very transparent that when you’re on these systems. These are work systems. These are not your personal systems,” Nigro added. “That's really a big part of our training program and awareness campaign — especially with people working from home, this is not stuff your kids can play with. This is not stuff you can surf the internet with.”

    WATCH: The remote work security priorities that matter most to IT teams.

    Consider NITTF’s Insider Threat Program Template

    There are many guides and templates that companies can follow, often created by trade groups and federal agencies. The National Counterintelligence and Security Center, which operates the National Insider Threat Task Force, offers templates focused on what the organization deems the “minimum standards.”

    Trade groups often offer similar, industry-specific tools. The Securities Industry and Financial Markets Association, for example, offers best practices that can be carried beyond the financial services industry. Nigro says that, whatever model you choose for your own needs, it’s important to research the program thoroughly.

    “Just make sure you’re doing your due diligence in your control program and make sure you’re monitoring things appropriately,” Nigro says.

    SARINYAPINNGAM/Getty Images