Identify the needs of the insider threat program

Insider risks and insider threats are tied to the most basic elements of a business – how does an organization’s talent safely work with the organization’s information? Of all the many disciplines of cybersecurity, insider risk and threat management is the most closely tied to the business itself. As such, organizations will ideally approach their insider threat program from the top in order to get direction and backing from executive leadership and align the goals of the program with the unique needs and risks of the business.

Executive leadership. Organizational leaders will be able to provide key insight into the strategic needs of the program and help define the company’s expectations of how employees are expected to treat sensitive information.

HR teams. HR teams are typically strong contributors to an insider threat program. This can include defining the expected conduct of employees as it relates to data and privileged information. HR teams are also closely involved in all onboarding and offboarding activities of employees, which carry heightened risks for insider threats.

Legal teams. Legal teams have insight into any regulatory risks that the program should address. They may want to ensure that new employees don’t bring in sensitive data from a previous employer that could negatively impact the company. Legal teams may also want to understand how the program will affect end-user privacy and what types of evidence will be required in case the organization wants to take legal actions as a result of an insider threat. Are there any requirements for how an insider threat will need to be reported?

{{ promo }}

Engage with the business

Next, the leaders of the insider threat program should engage with the individual business units. Sensitive data comes in many forms, and any data that could harm the organization if lost or exposed is potentially in scope of the insider threat program. Working with individual business units will help in the following ways:

• Identify sensitive data or assets – Many business teams have an idea of what data needs to be protected. What information does the unit work with that would be valuable to a competitor? What data would be harmful or embarrassing if leaked to the public? This can help shift focus from a few simple records to documents, design files, source code, presentations, internal emails and chats, and more.
• Identify any regulated data – The program will naturally need to know which parts of the business work with data that is subject to any regulatory or compliance standards. This may include teams that may have administrative access to customer data or provide support services.
• Identify business workflows – Knowing what data needs to be protected is only half the battle. Insider threat programs also need to know how the data is used to drive the business. This can include complex and open-ended workflows. Who needs the data? How is it shared? Are there unique issues such as new product information that will be private and then be made public after a launch?

Define how policies will be enforced

Next, organizations need to know exactly how the insider threat program will translate into action. And this can require the organization to explicitly define its overall tolerance for risk. In developing the program you may also need to consider how the organization will balance the need to mitigate risks vs the need to maintain user productivity. Important questions can include:

• Will the organization deploy measures to block the exfiltration or oversharing of data?
• If blocking is not needed initially, will the capability be needed in the future?
• Will users be allowed to override policies in order to maintain productivity?
• What additional enforcement or response efforts are required? Manual investigation? Integration with SOAR or incident response platforms?
• How will management be informed of events, and what actions will managers need to take after an event?

Build a user training program

The end users themselves are one of the most important aspects of any insider threat program, and all trusted insiders will need to be trained on the expectations and responsibilities for keeping company data safe. This can include:

Documentation of policies. Providing users with the official company policies for handling data both in general as well as for their particular job role.

Periodic training. Providing cybersecurity training that includes best practices and requirements for preventing data loss.

Real-time training. Real-time coaching and training that can reinforce policies and redirect users in the context of their actual workflow.

Identify technical and operational needs

The insider threat program will also need to consider the initial and ongoing operational needs. These needs can vary considerably based on the types of security tools and countermeasures that are selected. And while it is easy to focus on the initial goals of a program, the program team should account for the ongoing need for staff to administer and maintain any technical solutions. This can include:

• What data sources will be used to detect insider threats? How will that information be obtained at a technical level (e.g. network taps, endpoint agents, log collectors, APIs, etc)?
• How much ongoing maintenance and tuning will be required? Will security users need to customize detection rules?
• How will incidents be handled? Will manual investigation by an analyst be required? How many alerts will the team be able to support?
• What other systems will an insider threat solution need to integrate with?

Naturally, every organization’s insider threat program will be somewhat unique. However, these core steps can provide a strong foundation and framework for building a program that aligns to the unique needs and challenges a business may face.