How to Build an Insider Threat Program
Pam Nigro, the board director of the IT governance trade group ISACA, says that an insider threat program is necessary because those inside of an organization may have a close-up view of that organization’s inner workings.
“I think the primary reason is really the amount of exposure that somebody from the inside can have,” Nigro says. “Somebody from the outside is working their way in and trying to figure out and navigate paths. Somebody who is already on the inside may already have access.”
Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint, adds that there are multiple aspects to preventing an insider threat from emerging, and together they can build a preventative strategy.
“I think both the technology as well as understanding how people and processes can play their roles in reducing insider threats have come a long way in the last couple of years,” he says, “It’s frankly not a moment too soon, particularly in light of everything else that’s going on in 2020.”
Nigro, who is also a security officer and vice president of information technology at Home Access Health, emphasizes that the remote nature of work changes the imperative.
“It’s really good to start having these programs to help everybody recognize the signs,” she says, “and even sometimes for the people who are not intentional perpetrators to start recognizing their own warning signs, and maybe ask for help as opposed to doing some other kinds of behaviors.”
Insider Threat Awareness: Risk Assessments
Understanding the need for an insider threat program requires understanding the types of risks an organization may face, whether those risks are due to negligence or active attacks. Human resources may also play a role in insider threat assessments. The Intelligence and National Security Alliance recently released a white paper on the role that HR departments can play in uncovering potential threats ahead of time.
“The challenge in mitigating the insider threat is to devise an early warning strategy to better align organizational resources with the struggling or at-risk employee so that appropriate support or mitigation actions may be taken proactively to reduce or eliminate the risk,” the report notes.
From an IT perspective, Nigro says, it’s worth analyzing security access organizationally to help reveal potential problems.
“It really starts to take a look at the security levels and the access levels that different individuals have,” she says. “Who has privileged information? Who has what level of access for privileged information users? Are we reviewing their background checks every year? Are we doing some due diligence from performance reviews or performance expectations around them?”
Kalember adds that, when trying to assess insider threats, it’s important to have an understanding of what’s happening on the ground. Often, the biggest threats may not even be intentional.
“If, for example, you see somebody who appears to be taking a sensitive file that might contain your customer information and putting it on a USB stick, maybe you want to prompt them with a little bit of awareness training and actually teach them the right way to do things rather than ring a bunch of alarm bells and come down hard from a security standpoint,” he said.
