We've discussed several different trends underlying insider threats today – and why attacks, when they occur, can be so problematic. Employee demographics are shifting quickly, and making matters more complicated, many organizations are reluctant to discuss insider attacks publicly.
In this atmosphere of confusion, without clear guidance or obvious answers, many organizations are asking, “What can we do to stop insider threats?” So we’ve identified three measures that any organization can implement immediately to mitigate attacks from within.
Analysis Across the Career Lifecycle
Most organizations have limited budgets to apply to insider threat programs. Yet these efforts clearly must be a top priority. And ideally, a program should analyze key indicators on employees throughout their career life cycles, from “cradle” to “grave.”
Organizations should have the ability to see how individuals interact with both information and other people at various stages of their career. Based on this data, it is possible to identify areas of concern. You might discover that certain roles within your organization face stress or have access to sensitive data that is not currently accounted for in screening, training, or monitoring. You could then realign resources to deal with those gaps.
In order to establish and implement employee lifecycle monitoring, organizations should follow three steps:
1) Adopt user activity monitoring tools.
These tools should track users’ activity on your network, notifying your team of any “red flags.” Take note: you will get false positives, from time to time. You will need experts who can interpret your results, and insider threat is not a challenge that can be solved with technology alone. But a network-monitoring tool will provide you with a great deal of data on how people are using your network. If they trip certain “triggers” – for example, if they download a high volume of classified documents at 3 A.M. – you’ll know. And this data will help inform further analysis, providing baselines and context for your assessments.
2) Communicate your purpose and protocols clearly.
When it comes to matters of insider threat, training and reporting are essential. Communicate your security protocols clearly to employees. Furthermore, make sure that your insider threat program is visible and its purpose well understood throughout your organization.
People tend to distrust what they don’t understand, and you will want to secure maximum buy-in for your program. Communicate its function clearly and frame it as a team effort, collaboratively creating a trusted work that works toward the same ends.
3) Collect essential data on employees’ broader contexts.
Once you hire someone to a position with access to sensitive information, you will need data on any major, relevant issues they experience outside of work, or any international travel they embark upon.
This can be the most sensitive and challenging information to collect, and this measure should be implemented last if your organization is working with highly limited resources. It’s crucial to collect the right data so that you can be transparent without leaving employees feeling untrusted or under surveillance. But you will need this information to determine whether employees’ activities hew outside of established norms.
Before a company or organization takes any definitive steps to revise their insider threat programs, they should perform an assessment of their risk profile and security gaps.