Insider threats can affect organizations of all sizes and shapes, from small businesses to Fortune 100 corporations and local and state governments.
Individuals with access to or knowledge of an organization pose potential risks because they can commit disruptive or harmful acts that cause significant damage, intentionally or unintentionally.
These individuals include current and former employees and anyone who has been granted access, understanding, or privilege.
Examples of insider threats include an engineer who steals and sells trade secrets to a competitor; a maintenance technician who cuts network server wires and starts a fire, sabotaging operations; an intern who unknowingly installs malware; a customer service representative who downloads client contact information and emails it to a personal account for use when starting their own business; a database administrator who accesses client financial information and sells it on the dark web; and an employee who brings a weapon to the office and injures or kills several of their coworkers.
To combat insider threats, organizations should consider implementing a proactive and prevention-focused insider threat mitigation program. This program can assist an organization in defining specific insider threats unique to their environment, detecting and identifying those threats, assessing their risk, and managing that risk before concerning behaviors manifest in an actual insider incident.
An effective program can, among other things, protect critical assets, deter violence, counter unintentional incidents, prevent revenue or intellectual property loss, avoid sensitive data compromise, and protect organizational reputation.
Insider threat mitigation programs that successfully use practices and systems that limit or monitor access across organizational functions. These practices and systems, in turn, limit the amount of damage an insider can cause, whether intentional or unintentional.
What does an effective insider threat mitigation program do?
- It identifies and prioritizes the critical assets, data, and services the organization considers valuable. It employs a framework for detecting, identifying, assessing, and managing insider threat prevention, protection, and mitigation.
- It observes behavior to detect and identify trusted insiders who violate the organization’s trust. Create a safe and supportive environment, safeguard civil liberties, and maintain confidentiality.
- It evaluates threats to determine the individual level of risk of identified people of concern.
- It manages all types of insider threats, including implementing strategies aimed at the person of concern, potential victims, and/or parts of the organization that is vulnerable to or targeted by an insider threat.
- It engages individual insiders potentially on the verge of committing a hostile, negligent, or harmful act to deter, detect, and mitigate.
- It fosters a reporting and prevention culture that establishes and reinforces a positive statement about an organization’s investment in people’s well-being, overall resilience, and operational effectiveness.
- Based on the organization’s type, size, culture, nature, business value, and risk tolerance to malicious, negligent, or unintentional insiders, it employs multi-disciplinary capabilities enabled by technologies and/or dedicated personnel.
- It helps organizations provide a safe, non-threatening environment in which individuals who may pose a threat are identified and assisted before their actions cause harm.
A comprehensive insider threat mitigation program integrates physical security, personnel assurance, and data-centric principles. Its goals are to understand insider interactions within an organization, monitor those interactions as needed, and intervene to manage them when they threaten the organization.
Instead of aggressive enforcement or a “gotcha” program, an insider threat mitigation program should span the entire organization and serve as a mechanism to assist individuals. With training and awareness, policy and procedure, and management practices that guide employees to act in the interest and benefit of the organization, insider threat programs should encourage and incentivize correct behavior.
Insider threat programs should also discourage, detect, and prevent wrongdoing. When insiders commit harmful acts, such as sabotage, theft, espionage, or physical harm, an insider threat program should take appropriate management or enforcement actions to mitigate the impact(s) of the insider act. As a result, organizations must strike a balance between focus, policy, processes, and messaging.