As in many sectors, security must often carry out its mission with limited personnel and financial resources. When considering how to best implement a new or growing Insider Threat program, it’s important to find the highest impact without stretching security too thin.
What strategies offer the best combination of cost and effectiveness for an organization trying to pinpoint and diminish illegitimate insider misuse?
Strategic development first needs to involve the relevant internal stakeholders and must align with the security culture of the organization. What do we mean by security culture? Simply that size, scope and industry will impact how security is both viewed and carried out internally. A major aircraft manufacturer or military installation will not have the same security procedures in place as a 20-person software firm. In this way, anything that is put in place must be appropriate to your organization and will thus be more readily accepted by employees.
With that in mind, here are three priority areas to consider when developing an Insider Threat program:
Understand Risks and Threats
These are related concepts but they are two different things. Risk means the chance (or probability) that something bad will happen. A threat is the actor who carries out the bad activity. Is your greatest risk the theft of intellectual property? Industrial sabotage? Fraud? And who is most likely to represent an internal threat? Is it a disgruntled employee? A contractor? A joint-venture partner? Clarity around these topics will help orient you in program design.
Employee training, especially of front-line managers, has proven to be especially effective in reinforcing the organization-wide message that all employees have a responsibility in protecting assets and educating them on warning signs of Insider Threat behavior.
Prioritize and Protect Your Assets
To protect everything is to protect nothing. Understanding where your most crucial value lies is key to structuring an appropriate response. Consider those assets that an adversary would most want in order to gain economic or information advantage.
Then, continually monitor your networks and other locations where your most valuable information resides. Keep an especially close eye on privileged users who tend to have the most access and could do the most damage. Enforce the doctrine of “least privilege” where possible--by giving employees access only to that data they need to effectively carry out their jobs.
In later stages of your Insider Threat program you will ideally be able to merge disparate data streams and create an overarching picture of attempts to misappropriate data on your network.