Catching a threat before any damage occurs. That’s the goal of any insider threat program but what steps can be taken to make this a reality?
#1 Explain what it is
Transparency is important, especially when launching an insider threat program. After all, this is a program that protects the organization as well as the employee.
A good insider threat program knows that it will find more unintentional threats than it will malicious insiders. Often times putting new or strange behaviors into context is an important factor in making the distinction between an unintentional insider and a malicious insider.
#2 define the Scope
Know your key assets, and focus your efforts on certain areas rather than trying to cover everything.
Look for a moment at an analyst with a public trust clearance, whom after 17 years of flawless service is caught using their company computer to look up quick ways to pay back student loans using an unsecured network. While this something that shouldn’t have happened on a work computer, is not something the insider threat program would need to flag, since the analyst‘s security clearance doesn’t allow him to access information that could put the organization at risk. This is something that can be handled instead, by the analyst’s manager.
#3 Develop Policy
Policy can serve as the keys to right and wrong for your workforce. In creating policies you are telling employees what needs to be done, this helps them gain a clear understanding of the program. This leaves no room for misunderstanding. Look for a moment at this Lead Engineer. Who has decided, after falling behind at work decided to take home classified information on a USB drive. A coworker who over heard the engineer bragging over coffee about how much work they were getting done at home reported this breach. Upon further investigation, it is revealed that the engineer has been doing this for the past year. Thanks to good policy this was brought to the attention of the insider threat program and dealt with accordingly.
#4 Plan
A plan will help guide which course of action to pursue when a flag goes up. There are bound to be anomalies that are unintentional. When it comes to dealing with human behavior, there isn’t a one size fits all solution. Take for example a systems administrator who is going through a divorce. This upheaval in their personal life causes them to be distracted at work and accidentally take a few shortcuts, resulting in a policy violation. While this behavior will raise a flag, it isn’t a behavior that reveals a malicious actor. When setting up an insider threat program it is important to tailor it to organizational priorities. Not all insider threat programs will be alike but they will all strive to catch threats before any damage occurs.
