How to set up a powerful insider threat program

Security spend continues to focus on external threats despite threats often coming from within the organization. A recent Imperva report (by Forrester Research) found only 18 percent prioritized spend on a dedicated insider threat program (ITP) compared to 25 percent focused on external threat intelligence.


And it’s not just the employee with a grudge you need to worry – most insider incidents are non-malicious in nature. In its 2022 Cost of Insider Threats Global Report, Proofpoint and the Ponemon Institute found careless or negligent behavior accounted for 56 percent of all incidents and these also tend to be the most costly, with the average clean-up operation costing $6.6m.

Failed fixes

Part of the problem lies in perception: The Forrester report found almost a third of those questioned didn’t regard employees as a threat. But it’s also notoriously difficult to prevent these types of incidents because you’re essentially seeking to control legitimate access to data. Mitigating these threats is not just about increasing security but about detecting potential indicators of compromise (IoC) in user behavior and, for this reason, most businesses rely on staff training to address the issue. Yet as the figures above reveal, training alone is often insufficient.

The same Forrester report found that while 65 percent use staff training to ensure compliance with data protection policies, 55 percent said their users have found ways to circumvent those same policies. Others said they rely on point solutions to prevent incidents, with 43 percent using data loss prevention (DLP) to block actions and 29 percent monitoring via the SIEM (although data can still be exfiltrated without detection by these systems). The problem is that network security and employee monitoring both fail to take into account the stress factors that can push resourceful employees resort to use workarounds.

While prevention is always better than cure, the current approach to insider threats is too heavily weighted in its approach. Consequently, there’s insufficient focus on what to do if an insider threat, malicious or not, is realized. So, while training and network security controls do have their part to play, both need to be part of something much more wide ranging: the ITP.

An ITP aligns policies, procedures, and processes across different business departments to address insider threats. It’s widely regarded as critical to the mitigation of insider threats, but only 28 percent of those surveyed by Forrester claim to have one in place. The reason for this is that many organizations find it daunting to set one up. In addition to getting people onboard and policies in place, the business will need to inventory its data and locate data sources, determine how it will monitor behaviors, adapt the training program, and carry out investigations as well as how the ITP itself will be assessed on a regular basis.

Getting started

To begin with, a manager and dedicated working party are required to help steer the ITP. The members will need to have clear roles and responsibilities and to agree to a set code of ethics and/or sign an NDA. This is because there are many laws related to employee privacy and monitoring, as well as legal considerations and concerns that must be factored into the writing and execution of policy. The first job of the working group will be to create an operations plan and put together a high-level version of the insider threat policy.

They’ll then need to consider how to inventory and access internal and external data sources and to do this the working group will need to familiar with record handling and use procedures specific to certain data sets. Once the processes and procedures needed to collect, integrate, and analyze the data have been created, the data should be marked according to its use and so may be related to a privacy investigation. (Interestingly, nearly 58 percent of incidents that impact sensitive data are caused by insider threats, according to Forrester.)

Consider whether you’ll use technology to monitor end user devices, logins, etc. and document this through signed information systems security acknowledgement agreements. Potential indicators of compromise (IoCs) could include database tampering, inappropriate sharing of confidential company information, deletion of files or viewing of inappropriate content. When such behaviors come to light, discretion is critical, and any investigation needs to be watertight and defensible as it may result in a legal case.

Digital forensics for defensibility

How the business responds to and investigates incidents should also be detailed in the ITP. Consider whether the investigation will be internal and at what point you’ll need to involve external agents and who will need to be notified. Where will the data for the investigation be held? How long will the information be held for? While it’s important to retain relevant information, you don’t want to fall into the trap of keeping more than necessary, as this elevates risk, which means ITP should also overlap with a data minimization policy.

Digital forensics tools should be used to enforce the ITP. You’ll need to decide how you proactively manage insider threats and whether these tools will only be used post-analysis or covertly. For example, some businesses with high value assets will carry out a sweep to establish if data has been exfiltrated when an employee leaves the organization. You should also ensure these tools are able to remotely target endpoints and cloud sources even when they’re not connected and should be OS-agnostic so you can capture data on Macs as well as PCs.

Digital forensics ensure the business can quickly capture and investigate any incidence of wrongdoing. For example, it can determine the date, time and pathway used to exfiltrate data from the corporate information estate to any device, endpoint, online storage service such as Google Drive or Dropbox, or even publication over a social media platform. Once the data has been traced, it’s then possible to narrow down likely suspects until the team have indisputable proof.

Both the way the investigation is done and the evidence itself must be beyond reproach and legally defensible because such incidents may lead to dismissal or even prosecution. If challenged in a legal tribunal, the business would then need to prove due diligence so there must be a forensically sound and repeatable process and a proper chain of custody when it comes to safeguarding the handling of the evidence.

Keeping employees onside

Employee buy-in is also essential to success. The policy should communicate the risks of compromise in terms of the privacy, financial and even physical repercussions of a breach so that the workforce are aware of the risks involved. But there should also be processes in place to enable users to report behavioral IoCs. Guidelines should stipulate how and when IoCs should be reported via specific channels, i.e., via a tip phone line, email, DropBox, etc. The completion of the awareness training should also be documented.

The ITP will need to be put to the test but preferably not with an actual incident. Instead, an insider threat risk assessment should be executed to identify gaps in security controls and business processes or to assess the ease with which data can be exfiltrated and how well digital forensics processes performed. Consider how you can bring in insider threat management to other security policies, such as those covering BYOD, and ensure that trusted business partners and sub-contractors are subjected to insider threat risk assessments too.

Finally, bear in mind that the strategy will need to adapt and change as new processes are brought online and data sources are added. Key to this is maintaining an accurate data inventory and ensuring that your digital forensics tools offer you sufficient range to deal with new technologies and/or exfiltration pathways but you can also benchmark your program against other businesses within your sector.

The aim of implementing an insider threat program is to ensure that not just the business, its data or its processes are protected from harm, but also its employees. Covertly monitoring workflows can enable IoCs to be flagged more accurately, helping to prevent the escalation of incidents. But when the unthinkable happens, and an unsuspecting employee does expose sensitive data, having robust defensible processes in place that have already documented the incident make it much easier to carry out a digital forensics investigation and to bring any legal case that results to a swift conclusion.

Don't miss