Best practices for creating an insider threat program

Step 1. Plan preparation

• Get executive engagement and buy-in. Regularly apprise senior management and the board about the potential risk and mitigation of insider threats, as well as request for ongoing support.
• Create a cross-organization dedicated threat team. An insider threat team should not just consist of members of the infosec team. Include HR, legal, audit and finance members who can serve as program ambassadors for companywide training and operations. This cross-pollination provides diverse viewpoints in the program.
• Detail onboarding and offloading procedures. Include how to handle employees, contractors, partners, new hires through M&A and others who have access to company systems or data. Also devise offloading procedures for terminated employees, contractors, divestitures, etc.
• Conduct cybersecurity awareness training. All employees should be trained on the basics of insider threat vigilance.
• Select employees to be vigilant eyes of the insider threat watch. This requires memorable, effective and resonant training. Employees picked should cover a wide demographic and span various functional roles. Training should include awareness of predispositions, stressors and behavioral changes of fellow employees -- as well as proper protocol to report suspicions. Cybersecurity and Infrastructure Security Agency outlined a six-step progression that describes how malicious insiders evolve.
• Develop employee incentives. Create HR oversight and monitoring of employee sentiments after incidents -- for example, salary reviews, layoffs, stock grants and promotions -- to identify and prevent disgruntled insiders.
• Use technology to detect anomalous and malicious activity. On the technical front, identify behavior that could indicate insider threats. This involves monitoring network and host activity and mandating tools that require appropriate monitoring of IT systems. Security monitoring platforms can be used to review how employees access and use company data and flag potential violations. Behavior analytics software and SIEM products can be used to audit activity to discover anomalous actions.

Step 2. Threat assessment

When an incident is reported, the threat team needs to be activated immediately, and a timely decision needs to be made about whether the threat is negligent or malicious.

If negligent, the incident needs to be flagged for follow-up to update the cybersecurity awareness training program and/or the technical indicators.

If the incident is determined to be malicious, initiate the following:

• Launch a thorough risk assessment.
• Based on the assessment, recommend appropriate intervention actions.
• For emergency situations that involve an immediate threat to physical safety, activate the company's emergency response plan, and contact local law enforcement.

Step 3. Plan review and renewal

• Market changes. Keep up to date with new and changing regulations, competitive breaches, stock market swings, etc., and update the preparation stage processes, trainings and operations to reflect any changes.
• Societal changes. Elections, wars, violence, demographic shifts and so forth need to be factored into potential threat triggers. Update the plan preparation and threat assessment stages' processes, training and operations as needed.
• Technological changes. Always be aware of new detection tools, better analytics to reduce false positives and technology-driven changes, such as metaverse, nonfungible tokens, cryptocurrency, and their effect on the plan preparation and threat assessment stages' processes, trainings and operations.

Insider threats will continue to be a persistent threat vector for the foreseeable future. Following this three-stage methodology greatly reduces the risk of suffering malicious or negligent insider attacks.