No one wants their organization to be the next poster child for a major informational breach. No one wants their company to make headlines for having their data compromised or stolen. No one wants their governmental agency to become the example of what not to do in security IT.
Mitigating insider threat is critical to keeping your organization from becoming the next cautionary tale of poor informational security practices. With that in mind, here are three key strategies to limit insider threat in your organization.
Get a grasp of what you are doing already in terms of mitigating insider threat.
In this fast-changing environment, many IT security professionals do not know exactly how much their organizations are currently doing to combat this tremendous potential for breaches. Without knowing where the security holes are located, there is no way to plug the insider threat dam. IT security professionals should sit down with their teams to discuss what is in place in terms of technological defenses that can stem the tide of careless or malicious insider intrusion.
Also, top IT security executives should be coordinating their efforts with their human resources department, lines of business, and the C-suite – as well as potentially legal services — to ensure that their current strategies and policies for preventing, policing, and disciplining potential insider threats are consistent and meaningful. From there, IT security teams can focus on what needs to be improved or added.
Consider your organization’s plan for response.
Just like running a fire drill, helping mitigate the potential incidence or impact of insider threat has a lot to do with being prepared. Simply put, the potential for at least a minor insider breach to occur, combined with the potential impact of a not-so-minor breach, is so great that it bears planning out a thoughtful response.
The IT security team should have its own response plan in place in the event of an insider breach, which covers a host of common scenarios, be it a malicious attack perpetrated by a savvy, high-level former executive, or a careless response to a spear-phishing email allowed in by a low-level worker with little access to critical information assets. The plan should take into account the roles of the IT security team in quickly and effectively rooting out this threat, once it is determined; how the team with collaborate with and enlist lines of business, human resources, compliance, and legal departments at the organization; how and when the rest of the organization should be notified; how and if external vendors or customers should be notified; and how clean-up of the incident should happen and a post-mortem of the event should occur to prevent future similar incidents from taking place.
Stay on top of the flow of data – especially access to the most valuable assets.
Organizations cannot stop their employees from accessing the information they require to do their day-to-day jobs. But that does not mean they have to open the firehose and let everyone drink in the flow of all the information, or that they should not track that access. Monitoring and logging user activities–including what data is moving over the network and what data is being taken off the network especially–is critical to the early detection of insider threat. IT security departments need to coordinate with lines of business and human resources departments to set and maintain policies regarding proper access control, so that employees can only get to the information that they need to do their jobs. Perimeter defenses do little good, as the definition of insider threat means that the perpetrator is already inside the gates of the organization.
One critical factor, then, is to make sure that not everyone is allowed the keys to the kingdom. And then, to track the internal network traffic and access logs for indicators of suspicious behavior including an employee trying to obtain unauthorized access to information they do not have permission to access, a violation of the organization’s policies, or hoarding or massive downloading of data.