Article contributed by David Sanders, Director of Insider Threat Management Consulting
Insider risk programs seek to deter, detect and respond to malicious and unwitting insiders to reduce harm inflicted on a company. Best practices deter insiders through training, awareness, security controls and IT controls; detect potential or realized acts by integrating and analyzing data from disparate data sources; then respond effectively to mitigate the impact of the actions now and in the future.
Insider risk programs are most effective when they have cross-functional support and participation from stakeholders to share data, investigate cases and mitigate impacts.
The Jump-Start Checklist
Building an insider risk program is challenging for many companies because they lack the necessary experience and knowledge. Our insider risk consultants can help you kick off your program and achieve a high level of maturity within six months, following this eight-step checklist:
1) Prepare for Your Program
Define the scope, goals and expectations of the program and then obtain budget, resources and support from stakeholders to accomplish those goals. Selectively outsource support to stakeholders as needed to meet goals. For example, investigative support can be obtained from another group, but keep in mind this may require tradeoffs.
2) Perform a Capability Maturity Review
Obtain an understanding of your company’s current capabilities to operate an insider risk program. Evaluate policies, processes, controls, governance and technologies that can enable insider risk program capabilities. Based on findings, develop a roadmap to achieve the desired level of capability.
3) Narrow Your Focus
Based on your budget and available resources, define the threats and critical assets to be protected by the program. Insider risk comes in many forms, but misuse and/or disclosure of data is the most common type. The unauthorized transmission of confidential, proprietary or sensitive information can do serious damage to an organization’s competitive advantages and reputation. Therefore, we recommend that the initial scope of program should be reducing data loss, especially by high-risk employee groups. A starting point for critical assets depends on the business but may generally include intellectual property, PCI data, customer data, protected health information (PHI), etc.
4) Involve Stakeholders
Understand how stakeholders operate, identify how they can support the program, train them on program goals and operations and then align their roles and responsibilities to enable success. Most stakeholders will support the goals of the insider risk program provided they are informed and included.
5) Plan Your Insider Risk Tool Suite
Insider risk programs require well maintained DLP tools (network, endpoint and email), user activity monitoring (UAM) and an analytical platform that integrates data from disparate data sources, calculates meaningful risk scores and effectively supports the analytical process. Over time this environment can be tuned and automated to reduce the staffing required to operate it. If resources are not available to acquire these tools, then re-use of existing tools can fill some gaps but will require more labor or will result in missed opportunities to detect and mitigate.
6) Implement a Response Plan
Responses to insider actions are some of the most sensitive and complex activities an organization can conduct – sensitive in that detection is focused on trusted employees and business partners and often initiated based on analysis of information reflecting a risk of inappropriate acts rather than a discrete allegation of misconduct. Establishing repeatable, transparent processes that balance risk and trust within an organization will allow even modestly staffed programs to be successful.
7) Educate Your Employees
Provide your employees, managers and executives an awareness of this new security capability and do so in a way that inspires trust and cooperation. Explain to employees what behaviors lead to data breaches and leaks and the steps they can take to avoid those negligent actions. Ensure employees know who to contact if they are aware of a breach, need assistance or want to report indicators of insider threat activity.
8) Demonstrate Value
Record metrics of leads, cases and impacts, then report these in an impactful manner to leadership. Brief impactful cases discovered and worked by the program to demonstrate the value of the program. Obtaining and maintaining leadership support is crucial to building and continuing to operate an insider risk program.
Take the first step in building your insider risk program
The Cyderes insider threat risk expert advisory team has deep experience building and operating insider risk programs and reducing data and IP theft. Cyderes helps customers build substantial capability faster with better integration and alignment with existing cybersecurity capabilities and company objectives.
