Council Post: How To Build A Holistic Insider Threat Program (2024)

Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.

Any organization is susceptible to insider threats. While we commonly think of some kind of cyber exploit where sensitive data is stolen through the ether, an insider threat can be anything from a physical security breach to a cyberattack. Companies should plan and prepare for the entire range of possibilities and put the means of deterrence in place.

Here are examples from opposite ends of the spectrum—one a physical theft, the other a cyber incident—yet both were damaging to their respective organizations.

The Iranian-American engineer Mozaffar Khazaee was convicted of attempting to steal sensitive military information and ship it to Iran. Khazaee had been an employee of the defense contractor Pratt & Whitney, where he acquired information about key military technologies. He was caught shipping technical manuals and other trade secrets to contacts in Iran, violating the U.S. Arms Export Control Act. He was sentenced to more than eight years in prison.

Spear phishing attacks led to the overtaking of legitimate employee accounts at the social media company Twitter. Hackers used compromised credentials and administrative tools to usurp the accounts of famous Twitter users like Barack Obama, Elon Musk and others. The attackers deployed a scam to collect bitcoin payments into accounts they controlled and, as a result, negatively impacted Twitter’s stock value.

Cyberthreats get board-level attention these days, but the potential for physical (or “offline”) insider threats should not be ignored. After all, they have existed since well before there ever was a cyberspace. Organizations that want to protect themselves from all angles would do well to develop a holistic insider threat program.

Getting Started

Start with executive sponsorship. An insider threat program would fall under the purview of a senior executive with corporate risk or security responsibilities—a chief risk officer (CRO) or chief security officer (CSO). This leader should garner the full backing of the board or the executive leadership team to institute and maintain a formal program to reduce risk to the organization.

Once approved, the program should be led by a small, neutral team with enterprise-wide responsibilities. Ideally, the team holds no biases toward any particular group in the corporation, for example, favoring the IT group and focusing solely on technology-based risks. The holistic program must cover the total risk landscape, including the physical world, the cyber world and non-security indicators that bring context to risk.

To learn who and what are most at risk, it’s important to identify the company’s critical positions and assets. People in key roles can be targeted for phishing attacks, leading to account takeovers. Workers with assigned access to sensitive or proprietary information have keys to the kingdom that are worth watching.

The program must identify the potential perpetrators in order to build the right defenses. Traditionally we think of insiders as regular employees, privileged workers like system administrators and executives who have heightened access to important information—also, third-party workers and supply chain partners who have access to facilities and systems. But these days, an insider can be someone who has purchased or stolen a legitimate user’s credentials to gain access to computer systems and applications, as in the Twitter example above.

Education and awareness increase cooperation and support. It’s important to condition, train and educate the workforce about any fledgling program, letting them know that the program isn’t trying to “catch” people misbehaving. Rather, the program exists to protect the company and workforce from being victimized. The message should be delivered in a gentle way to cultivate cooperation.

Strong relationships are critical.

Build relationships with groups both inside and outside the company to help with the efforts to deter, detect and mitigate insider threats. Key internal groups include human resources, ethics and compliance, legal, employee development, the business units, physical security, information security, corporate investigation services and the privacy program.

Outside relationships are just as important with groups that include law enforcement, government agencies like CISA, threat intel providers, technology vendors and peer organizations.

All these groups are necessary to provide essential elements of the program, including policy guidelines, legal advice, indicators of compromise, threat and risk analysis, systems and user activity data, contextual information, employee training, investigative services and more.

Technology is a force multiplier.

Technology plays a big role in detecting suspicious activity that could be indicative of an insider threat or full-blown attack. Several types and layers of technologies are necessary to thoroughly monitor the enterprise, detect threats and calculate risk.

For example, logging tools are required across the enterprise to capture system and user activity data. A cloud-based data lake is needed to store such a vast amount of data. Data loss prevention (DLP) tools watch for improper movement of data. Privileged access management (PAM) tools monitor and control what people with heightened access permissions can do. Tools like a security information and event management (SIEM) platform collect, correlate and analyze data from a wide variety of sources. To determine which tools will best assist your company’s security needs, it is best to consult security operations, security architects, governance risk and compliance management and executive leadership.

On the physical security side, video surveillance, access control locks, perimeter detection systems and other devices can help detect unauthorized activity.

The key with any technology is to collect as much data as possible from as many sources as possible and correlate it to see if there are any anomalies that point to a potential threat.

Even at that, some contextual data may never be in digital format to feed into a tool. For instance, the HR department may have highly sensitive written documentation on employees that is pertinent to a threat investigation, such as information from a criminal background check or records of substance abuse.

While you should use technology tools to collect data and do analytics and risk scoring, a professional investigative body should perform the actual threat investigation. This could be HR, the ethics and compliance group, a corporate investigation services team or the like.

With the proper plan and technologies, the risk of insider threats can be minimized.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Council Post: How To Build A Holistic Insider Threat Program (2024)

FAQs

What is the purpose of the insider threat Prevention Program? ›

Insider Threat. Insider Threat Programs are designed to deter, detect, and mitigate actions by insiders who represent a threat to national security.

Which of the following best describes the considerations for formulating an insider threat mitigation response? ›

Your Insider Threat Program must consider the individual's privacy and civil liberties when developing mitigation response options. Ensure that personal information is properly handled, accessed, used, reported, and retained in accordance with applicable laws, policies, and regulations.

What are the minimum standards for establishing an insider threat program? ›

As discussed in lesson one, these minimum standards include: Designation of Senior Official, Implementation of Data Sharing, Capability to Manage Threat Information, Monitoring of Employee Classified Network, Providing Employee Awareness Training and Specific Training for Insider Threat Program Personnel, Protecting ...

What are the 3 major motivations for insider threats? ›

Insiders have a wide variety of motivations, ranging from greed, a political cause, or fear – or they may simply be naive.

What is the most common form of insider threat? ›

The insider threat that carries the most risk is when employees misuse their access privileges for personal gain. This can include unauthorized access attempts, data theft, or the misuse of sensitive information. Monitoring for such indicators can help organizations mitigate the risks associated with insider threats.

What is not considered an insider threat? ›

These users do not need sophisticated malware or tools to access data because they are trusted employees, vendors, contractors, and executives. Any attack that originates from an untrusted, external, and unknown source is not considered an insider threat.

What is the Executive Order for insider threat Program? ›

Executive Order 13587 directs United States Government executive branch departments and agencies (departments and agencies) to establish, implement, monitor, and report on the effectiveness of insider threat programs to protect classified national security information (as defined in Executive Order 13526; hereinafter ...

What does an insider threat program manager do? ›

Follows computer generated leads to identify anomalies and/or support the insider threat processes. Works independently, with oversight, to advise and assist office personnel on matters of insider…

What is the DoD insider threat program? ›

The DoD Insider Threat Program is designed to prevent, deter, detect and mitigate actions by malicious insiders who represent a threat to national security or DoD personnel, facilities, operations and resources through the integration and synchronization of the full range of security, counterintelligence, cybersecurity ...

What is a best practice for being aware of insider threats? ›

To monitor for activities or behaviors that may signal an insider threat, firms should use both technical tools and human intelligence. Firms should utilize network monitoring software, appropriate identity and access management controls, and data loss prevention tools.

What are the tactics of insider threat? ›

Collusive threats: Insiders collaborate with external entities, such as competitors or cyber criminals, to conduct espionage, intellectual property theft, or facilitate unauthorised access. Combining insider knowledge with external resources and capabilities can significantly amplify the damage.

What are the three main categories indicators used to determine an insider threat? ›

Common types of insider threat indicators include unusual behavior, access abuse, excessive data downloads, and unauthorized access attempts. Monitoring these indicators can help organizations identify potential insider threats and take necessary steps to mitigate risks and protect sensitive information.

How do I get an insider program? ›

The two entrances to the FEV lab, one via a Master-locked terminal and the other via a Novice-locked door, are both in the BioScience division. Entering through the Novice-locked door, a short decontamination corridor leads to a dead synth and a Novice-locked door to a small adjoining security room.

What is the DoD insider threat Program? ›

The DoD Insider Threat Program is designed to prevent, deter, detect and mitigate actions by malicious insiders who represent a threat to national security or DoD personnel, facilities, operations and resources through the integration and synchronization of the full range of security, counterintelligence, cybersecurity ...

When you establish your organization's insider threat program? ›

An insider threat program offers a comprehensive strategy to identify, prevent, and mitigate insider threats posed by individuals within your organization. These can be your employees, contractors, business partners, or anyone else with access to your systems.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Jamar Nader

Last Updated:

Views: 5455

Rating: 4.4 / 5 (75 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Jamar Nader

Birthday: 1995-02-28

Address: Apt. 536 6162 Reichel Greens, Port Zackaryside, CT 22682-9804

Phone: +9958384818317

Job: IT Representative

Hobby: Scrapbooking, Hiking, Hunting, Kite flying, Blacksmithing, Video gaming, Foraging

Introduction: My name is Jamar Nader, I am a fine, shiny, colorful, bright, nice, perfect, curious person who loves writing and wants to share my knowledge and understanding with you.