Preventing An Inside Death: Best Practices for Mitigating Insider Threats

Here’s a quick reality check: the largest cybersecurity threats are often found on the inside. 

More than 34% of businesses globally are affected by insider threats every year, with 2,500 companies in the United States alone encountering daily internal security breaches.

Insider Threats Can’t be Blamed on Technology

Even with these figures, insider attacks are still one of the most underestimated cybersecurity threats in organizations. Internal attacks often aren’t investigated with the same effort external ones are — there tends to be less focus on attackers’ intent, motivation, and capabilities. Security leaders can’t simply ignore the human aspect of these threats, such as in the case of Microsoft when a former software engineer defrauded the company of over $10 million of digital currency over 7 months.

Building Your Insider Risk Mitigation Plan

As your organization prepares for insider threats, identify first the key risks you can mitigate, such as:

  • Fines and penalties as a result of compliance failures and violations
  • Possible churn
  • Data compromise
  • Disruptions in business operations
  • Reputational damage

Once you’ve determined the risks, the next step is to design a mitigation plan to address them. Ekran System recommends including the following components:

  • Steps of the mitigation process — risk evaluation and prioritization; control implementation
  • Insider threat mitigation strategies — based on risk probability and impact (more on these strategies below)
  • Risk reduction controls — clearly defined policies and software; applying necessary adjustments to current procedures
  • Schedule — specifying frequency of risk mitigation activities to keep the plan constantly updated

Best Practices in Insider Threat Mitigation

An update to Forrester’s 2021 report titled Best Practices: Mitigating Insider Threat aims to provide IT and security leaders with a more objective view with regard to addressing insider threats. Here’s a rundown of the main strategies that key researchers Joseph Blankenship and Claire O’Malley mentioned in the report:

1. Don’t rely fully on technology.

The human element is just as important as the technical element. Most of the time, even more so.

Insiders are the people you know and trust — former and current employees; third-party contractors; and business partners. SUBA solutions and DLP help detect a wide range of potential insider threats, but they should be mixed with a consistent process and a highly trained security team for them to be effective.

Adopt a zero trust approach; practice the principle of least privilege to avoid access misuse; and know your insiders. Heightened access visibility across all endpoints is key, and assessments must be done from both a behavioral and technical perspective.  As Axonius writes in their informative post, having comprehensive, realtime asset management is a key element for maintaining network transparency and preventing insider attacks.

2. Keep your insider and external threat functions separate.

A common mistake security leaders make is taking a similar approach to insider and external threats. In fact, interviewees in the Forrester report cited a common handling mishap: treating insider threat as an ordinary security program, and letting it pass off as a mere IT issue.

If your organization hasn’t yet defined its insider threat function, here are some ways to do it:

  • Have a separate insider threat team and engage them in specialized training in threat investigation and management.
  • Keep it separate from the main IT team, and make insider threat responsibilities a function of the CISO, CRO, or any other executive, depending on business needs.
  • Don’t treat employees as the enemy — respect their privacy even as you monitor behavior and access, and clearly communicate your goals to everyone involved in the mitigation process.

3. Get cross-functional buy-in.

Any program or initiative is less likely to be fruitful if there’s not enough support from stakeholders. 

The same can be said for your insider threat program — gather inputs from the top down and secure buy-in from the CEO and the board. Your legal, HR, privacy, risk, and security departments should be at the program’s helm; functions such as the CIO, internal audits, and compliance would act as your key support team.

4. Fortify your insider threat process.

Finally, Forrester notes 2 important things your insider threat program needs to be: fair and consistent.

Investigating an insider requires the combined powers of your legal, HR, and compliance teams to ensure impartiality and adherence to policies. Other strategies for solidifying your insider threat program include:

  • Always know where your sensitive data is, and who has access to what.
  • Create well-defined acceptable use policies for your internal devices and systems, and have employees sign them annually.
  • Get in touch with law enforcement in advance if you ever decide to go beyond termination and bring a case to court, should an insider attack take place.

Final Thoughts

You never know when a trusted insider will be able to break down your company’s defenses. Take the necessary measures we’ve recommended above, run regular security audits, foster a culture of security within your organization, and have a robust incident response plan in place.

Think you’re too small for insider attacks? Think again. Watch our On Demand Session on How to Introduce “Enterprise-Grade” Security at a Startup, featuring Daniel Trauner, Director of Security at Axonius.

Photo by Lewis Kang’ethe Ngugi on Unsplash

Privacy Notice

This privacy notice discloses the privacy practices for (www.ascentconf.com). This privacy notice applies solely to information collected by this website. It will notify you of the following:

  • What personally identifiable information is collected from you through the website, how it is used and with whom it may be shared.
  • What choices are available to you regarding the use of your data.
  • The security procedures in place to protect the misuse of your information.
  • How you can correct any inaccuracies in the information.

Information Collection, Use, and Sharing

We are the sole owners of the information collected on this site. We only have access to/collect information that you voluntarily give us via email or other direct contact from you. We will not sell or rent this information to anyone.

We will use your information to respond to you, regarding the reason you contacted us. We will not share your information with any third party outside of our organization, other than as necessary to fulfill your request, e.g. to ship an order.

Unless you ask us not to, we may contact you via email in the future to tell you about specials, new products or services, or changes to this privacy policy.

Your Access to and Control Over Information

You may opt out of any future contacts from us at any time. You can do the following at any time by contacting us via the email address or phone number given on our website:

  • See what data we have about you, if any.
  • Change/correct any data we have about you.
  • Have us delete any data we have about you.
  • Express any concern you have about our use of your data.

Security

We take precautions to protect your information. When you submit sensitive information via the website, your information is protected both online and offline.

Wherever we collect sensitive information (such as credit card data), that information is encrypted and transmitted to us in a secure way. You can verify this by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the Web page.

While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information. The computers/servers in which we store personally identifiable information are kept in a secure environment.

If you feel that we are not abiding by this privacy policy, you should contact us immediately via telephone at 202-256-9707 or [email protected].