You can’t run a business without giving employees access to resources, and you can’t give them that access without some degree of risk. Insiders can damage your company in countless ways, from destroying valuable equipment, to leaking sensitive data, to providing access to unauthorized third parties. These corporate security incidents can lead to lost revenue, compliance fines and lawsuits, and serious damage to your reputation.
An insider threat program can help you anticipate and address risky or destructive individual behavior before major damage is done. However, it’s crucial to address insider threats based on a realistic assessment of risks. Most companies face far more danger from lack of attention or training by insiders than from actual malice. Fostering a collaborative culture of security will earn employee buy-in, and provide better results (and morale) than a top down “everyone’s a suspect” approach.
Insider Threat Program Basics: What Is an Insider Threat?
The phrase “insider threat” is often used to refer specifically to malicious data theft or sabotage of an organization’s data or electronic resources by insiders. The National Counterintelligence and Security Center, for example, defines an insider threat as, “when a person with authorized access to U.S. Government resources… uses that access to harm the security of the United States.”
Malicious insiders may be driven by a wide range of motivations, including greed, economic desperation, desire for revenge for a perceived wrong, and loyalty to a different organization. Their actions can vary greatly, from erasing a friend’s debt, to selling the organization’s records, to actual physical violence.
But in many cases, the most serious insider threats come from inadvertent insiders — people who unknowingly allow outside threat actors into your organization through a mistake. Some of these mistakes are negligent, but most of them are just ordinary mistakes — often resulting from lack of training. A worker could cause email security issues by reusing a password for a work account, or unknowingly opening an unsafe email attachment, for example, giving an attacker access to the company’s resources.
Because malicious and inadvertent threats are so so different, creating an insider threat program takes commitment and ongoing work.
Why Insider Threats Are Such a Big Deal
Insiders have direct access to data and IT systems, which means they can cause the most damage. According to a 2015 Intel Security study, insider threat actors were responsible for 43% of attacks, split evenly between malicious and unintentional actors. According to the IBM X-Force 2016 Cyber Security Intelligence Index, insider cyber security threats are an even bigger problem. From 2015 to 2016, the percentage of attacks carried out by all insiders grew from 55% to 60% according to the study. Of those, about 73.6% were carried out by malicious insiders — or 44.5% of total attacks.
These numbers are alarming enough, but they don’t even tell the whole story. Because even among successful attacks carried out by outsiders, virtually all have at least one insider threat component. At some stage of the process, someone in the targeted organization or a partner organization had forgotten to upgrade software, left a default root admin password in place (or had improper permissions inside due to malice or a mistake), transferred sensitive data over an insecure connection, or done something else that exposed the organization to attackers.
Realistically, your insider threat program can’t anticipate every possible mistake that could harm security. Some issues — such as internal security and compliance initiatives — may lie outside the realm of your insider threat plan altogether. In other cases, an attacker may be using a novel tactic such as a new type of Business Email Compromise (BEC) attack that your organization hasn’t anticipated. But your insider threat program doesn’t have to be perfect — just getting employees to be aware of security issues and be vigilant can significantly reduce insider threat risk.
Government insider Threat Programs and Initiatives
The U.S. government has created the National Insider Threat Task Force to develop and enforce minimum insider threat program standards across government organizations and contractors. Their policy gave covered organizations 180 days to “establish a program for deterring, detecting, and mitigating insider threat[s].” Organizations were required to take a number of steps to protect against insider threats, including:
- Monitoring users on classified government networks.
- Examining background information about users.
Training employees to spot and detect insider threats.
- Creating mechanisms to analyze and share insider threat information.
The government has also taken other steps to promote insider threat programs, including researching current programs, and developing an insider threat roadmap through a public/private partnership.
All of this work has generated an awakening, according to Michael Gelles, a Naval Criminal Investigative Service veteran and insider threat expert. Gelles pointed out that, although insider threat detection has been going on for decades, popular awareness of the insider threat program is new:
“For me, having spent a career with it, it is almost like folks have finally awakened to this issue despite the fact that it has been something that the government has long been focused on.”
Gelles points out that the typical insider threat program has been reactive historically, and focused on malicious theft of proprietary and classified information. The government would debrief spies once they were caught, and study their motivations, but they didn’t have good mechanisms in place to catch insiders until relatively recently.
In the digital age, both “complacent insiders” who leave doors open through negligence, and “ignorant or uninformed insider(s)” who haven’t been trained have become a much bigger security risk, according to Gelles. This has a lot to do with how technology has changed things.
A Cold War-era intelligence bureaucrat working for the CIA couldn’t accidentally leak a secret file stored in their workplace — they’d have to copy the file without getting caught, and meet with a handler in person to hand it off. But these days, a bureaucrat could very easily compromise much more information just by choosing a bad password, or clicking on a suspicious link. Unfortunately, although we’ve gotten much better at predicting the behavior that precedes a malicious link, few insider threat program plans adequately address the risk of inadvertent leaks.
How to Create Your Own Insider Threat Program
Unfortunately, there’s no one-size-fits-all insider threat solution. Businesses need to come up with their own program to assess risks, choose security tools, train and supervise their employees to minimize the risks of insider threats. Here’s a basic roadmap for SMBs beginning their insider threat program initiative.
1. Insider Threat Program — Pre-Planning
In this phase, your organization will plan out the scope of the project, and identify internal assets and stakeholders. For SMBs, it’s usually best to limit the scope, and execute a pilot insider threat program based around your organization’s most pressing risks. That could mean focusing on employees handling advanced research or preparing for a merger.
Alternately, you might want to focus on an area of your organization under heightened compliance pressure — such as meeting HR HIPAA requirements. If you’ve had a major incident, or a series of minor incidents in a particular department, that could also be a natural place to pilot.
Once you’ve broadly outlined the scope of your insider threat program, it’s time to look at internal assets and stakeholders. What security and compliance programs do you already have? What software are you running that could help identify insider threats? Do you have people with security expertise, or training in insider threat detection? What about external suppliers or consultants who might be able to offer support? In many cases, your insider threat program will benefit greatly from an outsider to give you some fresh perspective.
Now, it’s time to establish your team. Involve people from the pilot department as well as the security staff and partners you’ve identified. As we said earlier, your insider threat program should not be a top-down project that treats your staff with deep suspicion — it should be a collaborative process where staff are encouraged to voice their concerns and lend their help. Not only will this improve morale (no one wants to be part of a “pilot program” that treats them as the enemy), it will also lead to a more successful insider threat program, since workers will be able to help sport risky or suspicious behavior.
2. Insider Threat Program — Management Buy-In
Management buy-in is essential, not just because you need them to sign off on resources and changes, but because you need them as participants. Management have access to the most valuable resources. They’re the most valuable targets for sophisticated attackers, and when they maliciously leak data or make a careless mistake, they’re the ones who can do the most harm. On a more positive note, if they feel part of the program from the beginning, t will be much easier to expand the program later.
An outside vendor like Virtru can provide guidance and help you prepare to make the pitch. However, when it comes time to take the insider threat program to management, you’re the best advocate. Coming to management with an initiative to secure business data is almost always going to look more convincing than immediately turning over the mic to an outside partner. However, having a trusted security partner with experience in implementing insider threat programs in your pocket early on will help you avoid pitfalls, and craft an effective project from day one.
3. Insider Threat Program — Identifying Risks
Now that you’ve sold the insider threat program to management, it’s time to take a close look at what risks you’re trying to prevent, and what data you’re trying to protect. Start by listing all the different kinds of sensitive data people in your pilot program have access to. For each type of data, you need to answer several questions, including:
a. What is the value of this type of data to you?
b. What would be the consequences if it were stolen or vandalized — include compliance fines, lawsuits, loss of business, and loss of competitive positioning.
c. Who would be interested in stealing this data, and why? How valuable would it be to hackers, competitors, etc.?
d. In what ways could the data be lost? Is it a likely target for a malicious insider? Is it something that an employee could easily accidentally email to an unauthorized party? Could a partner leak it?
e. In what way could it contribute to other, further breaches?
Some data (e.g. passwords) is valueless in itself, but incredibly valuable to a hacker trying to perpetrate an attack. Other data might be valuable to certain competitors, but won’t be valuable to anyone else. For example, a parts invoice might contain valuable intelligence about a manufacturer that a competitor could use to learn more about your company, but won’t be any help to anyone else. Business data protection should be based around preventing the most likely risks.
As you can imagine, things can get pretty complicated pretty quickly. That’s okay — a pilot insider threat program doesn’t have to address every risk on day one. You can always prioritize certain risk mitigation steps, and put others off for another day.
4. Insider Threat Program — Plan Risk Remediation
With your big risk list, you’ll be able to identify the most urgent risks for your insider threat program. This is when knowledge of your existing security program comes in handy. Bad password practices, unsafe browsing, and lack of phishing awareness are major security risks, but your company may already be addressing them with regular training.
One thing your company probably isn’t handling is the risk of unencrypted email. If insiders email sensitive information — for example, because the recipient doesn’t use the same secure client portal — it can be intercepted by a hacker. Your company may want to drop the portal altogether (if you have one) and use an email encryption program for all communication. This will simplify secure communication, and limit the risk of employees forgetting to switch when they need a secure channel. To learn more about the benefits of encrypted email over portals, checkout the resource list below.
You’ll also want to tag sensitive data, and implement (or strengthen) rules for handling it securely. Restrict access to sensitive information to those who absolutely need it, and make rules governing how they can use and share it. For example, users should never email billing information, as this violates PCI (unless your email is within scope, which isn’t likely). Use a Data loss protection (DLP) solution such as Virtru DLP to enforce those rules, and supervise workers for compliance.
An insider threat program plan for malicious insiders should revolve around spotting and reviewing warning signs. Workers and managers should be connected to a contact, and taught suspicious behaviors to look out for, along with careless risks, such as leaving your computer logged in and unattended.
DLP can help you spot malicious insiders. For example, Virtru DLP can alert managers when workers break DLP rules, and BCC managers on email containing sensitive subjects, words, and data. This is generally not a high priority for a pilot insider threat program, but can be helpful for companies with high-risk information, or a history of insider threats.
5. Insider Threat Program — Iterations
Security is an ongoing process, not a one-time initiative. Set modest goals for the early stages of your insider threat program, and have workers and program staff meet frequently to discuss its progress. You may need to tinker with your DLP settings to reduce false positives or add lower priority rules gradually, and there’s a good chance some of your procedures will need tweaking. Stick with it, celebrate your progress as you go, and keep your workers engaged.
At a certain point, you’ll want to roll out your pilot insider threat program to the rest of the company. Look to the workers involved in the original program as leaders and teachers. The more your company can learn from them, the more effective the rollout will be.
Learn More About Defeating Insider Threats
The more you learn about insider threats and other IT security issues, the more effectively you can reduce risk in your organization. Use these resources to learn more.
- 4 Ways a Secure Email Provider Beats a Portal
- Insider Threats in Cyber Security: What Employers Can Do to Protect Themselves
- 4 DLP Security Best Practices for Email
- 6 Common Ways Employees Compromise Enterprise Data Security
- How to Protect Against Social Engineering Attacks
- 4 Reasons HR Managers Need to Use Email Encryption