Insider Threat Programs: 8 Tips to Build a Winning Program
Learn how to build your insider threat program, with tips like determining critical assets, performing background checks, and building insider threat use cases.
What is an insider threat program?
Insider threat programs are strategies designed to help organizations identify potential vulnerabilities that take advantage of privileged information or access. Ideally, these programs can help organizations uncover and remediate permissions or access to assets that can be exploited by angry or malicious employees, attackers with compromised credentials, or human error.
When implemented successfully, these programs can help significantly reduce the chance of system compromise or breach. This can help organizations save substantial amounts of money and avoid loss of brand reputation and customer trust. According to a recent insider threat study by Ponemon Institute, these programs can represent around $11.5 million, on average, that would otherwise be spent on fines, remediation or lost revenue.
In this article, you will learn:
- 8 Tips for Building Your Own Insider Threat Program
- 1. Form a Planning Team
- 2. Determine Critical Assets
- 3. Perform a Threat Risk Assessment
- 4. Conduct Employee Background Checks
- 5. Implement and Maintain Information Security Controls
- 6. Build Insider Threat Use Cases
- 7. Pilot, Evaluate and Select Insider Threat Tools
- 8. Revise Your Insider Threat Program
- Advanced Best Practices For Insider Threat Programs
8 tips for building your own insider threat program
If you do not already have an insider threat program in place, now is the time to begin creating one. These tips can help you ensure your plan is comprehensive and that you can implement it effectively.
1. Form a planning team
Before you can create an effective program, you need to have a team that can bring combined knowledge of your operations, goals and vulnerabilities. This team should include representatives from security, IT, legal, human resources, and executive units. With this team, you can make informed policies and create workable procedures that fall within regulatory, policy and legal guidelines.
2. Determine critical assets
With your team in place, you need to build a map of your assets and determine threat priorities. This includes both virtual and physical assets, such as internal documentation, key cards, product prototypes, and employee data. Your program should devote the highest coverage to your most sensitive assets while still accounting for those with low priority.
To determine which information or access is important, you can rely on your planning team. Having chosen members from across your business units you will have a broad view of what you have and what others might want.
3. Perform a threat risk assessment
Assessing the current state and compliance of your operations can help you identify existing security gaps that need to be addressed. This could mean auditing system configurations against known benchmarks, confirming settings according to established policies, or performing penetration testing to see how effective tooling is.
In particular, you should evaluate your systems and protections in terms of their ability to detect threats from authorized users. This means testing your ability to identify suspicious patterns of behavior such as suddenly accessing or copying large amounts of data.
Related content: read our guide to insider threat indicators
4. Conduct employee background checks
Part of knowing your threat risk is being aware of who you have on your team. One way is through background checks. If someone has previously been fired because of corporate abuse, you would want to know that and avoid them. Likewise, if someone is having significant financial troubles, they could present a risk.
You have to be careful with this information and apply it fairly. Background checks are not foolproof and can turn up falsely attributed information. Additionally, checks cannot tell the whole story of a person and workers should not be punished for past events in their personal lives that do not affect their ability to work.
Related content: read our guide to identifying malicious insiders
5. Implement and maintain information security controls
One of the strongest protections for your data is the ability to limit access, even to insiders. You should only grant users access to data they need to perform their jobs. If additional access is temporarily required, you can provide it as needed.
By restricting access to data through access policies and encryption, you reduce how much opportunity employees can have to abuse their privileges. You also reduce the amount of damage that attackers can potentially cause if they gain compromised credentials.
6. Build insider threat use cases
Use cases are guidelines for when your program procedures should be implemented. For example, if a user is using unapproved cloud storage or has requested restricted access. By creating use cases for your most commonly expected issues, you can help your security teams reliably monitor potential threats and take action to resolve vulnerabilities.
Included in these use cases should be procedures for protective monitoring (i.e., heightened security for employee resignations or terminations). These are times when insider threats may be greatest and should be handled carefully. This sort of monitoring is often a requirement of compliance or industry best practices.
7. Pilot, evaluate and select insider threat tools
You may already have all of the security tooling you need or you may find that your tooling is lacking. In the latter case, you should start evaluating tools that can fill the gaps. Generally, this means adopting more comprehensive monitoring tools. In particular, those with behavioral analytics features.
You should prioritize tools that can perform end-to-end tracking of user activity and can provide visibility in real time. Additionally, look for tools that can centralize your operations, incorporating monitoring, logging, investigation and alerting capabilities if possible. This centralization allows you to analyze system conditions more thoroughly and increases the chance that you’ll catch suspicious activity early on.
8. Revise your insider threat program
As part of your program, you should build in periodic audits of your tooling, permissions and procedures. Systems, staffing and threats are dynamic and you need to ensure that you are accounting for change as needed.
When auditing, take note of any outdated or vulnerable areas and adapt your program accordingly. Additionally, if incidents do occur, make sure that you apply feedback from your incident response workflow to improve your current program. Not updating your procedures after an incident is inviting a repeat threat.
Advanced best practices for insider threat programs
As you create and audit your insider threat program, consider these best practices. The practices we recommend below can help you ensure your program is well-tailored to your needs and that it supports your staff’s productivity.
Align terminology with the culture
The terminology you use in your program can frame you as an ally of your employees or create an us vs them environment. You should be careful how your program is labeled and how goals and procedures are framed to avoid this. For example, rather than calling it an “insider threat program”, you may want to call it an “employee protection program”.
By using neutral or friendly terminology, you can display goodwill towards your staff and avoid creating resentment. Using collaborative language can also help you recruit employees towards the effort of maintaining asset security. When they feel like an important part of your goals, they may be more likely to share responsibility.
Be transparent and build trust
Related to the language you use, you need to ensure that your employees understand why your program is in place and the intent. This means explaining what the program is monitoring and why. You don’t have to detail how systems are monitored, but you should not hide the high-level information.
When employees know that monitoring is happening and do not feel like they are being personally targeted, they may be more likely to trust and value your organization. This can decrease the chance of malicious activity and increase the likelihood of employees reporting suspicious activity to you.
Focus on automated monitoring
Manually monitoring your systems does not provide you with the coverage or depth that you need to secure assets successfully. The solution to this is automated monitoring. Automated monitoring helps you process and analyze information from across your systems and enables security teams to focus on threat remediation and prevention.
Related content: read our guide to detecting insider threats with data science
Protecting your business against insider threats is as important as traditional cybersecurity practices that focus on external threats. However, insider threats are often much harder to detect than threats from outside the organization since they cannot be blocked by antivirus and firewalls.
In terms of threat solutions, Exabeam offers security tools, such as SOAR and UEBA, which can recognize suspicious employee behavior that might indicate malicious intent.
Learn more in our white paper: Preventing Insider Threats with UEBA
- Information Security: Goals, Types and Applications
- The 8 Elements of an Information Security Policy
- What is MITRE ATT&CK: An Explainer
- MITRE Publishes Domain Generation Algorithm T1483 in the ATT&CK Framework