How to Build an Insider Threat Program [10-step Checklist]


An efficient insider threat program is a core part of any modern cybersecurity strategy. Having controls in place to detect, deter, and respond to insider attacks and inadvertent data leaks is a necessity for any organization that strives to protect its sensitive data. It’s also required by many IT regulations, standards, and laws: NISPOM, NIST SP 800-53, HIPAA, PCI DSS, and others.


In this article, we’ll share best practices for developing an insider threat program.

What is an insider threat program?


Creating an efficient and consistent insider threat program is a proven way to detect early indicators of insider threats, prevent insider threats, or mitigate their consequences. An insider threat program is “a coordinated group of capabilities under centralized management that is organized to detect and prevent the unauthorized disclosure of sensitive information,” according to The National Institute of Standards and Technology (NIST) Special Publication 800-53. It’s also frequently called an insider threat management program or framework.

Key sources of insider threats

Usually, an insider threat program includes measures to detect insider threats, respond to them, remediate their consequences, and improve insider threat awareness in an organization. But before we take a closer look at the elements of an insider threat program and best practices for implementing one, let’s see why it’s worth investing your time and money in such a program.

Why is it worth building an insider threat program?


Outsiders and opportunistic attackers are considered the main sources of cybersecurity violations. But there are many reasons why an insider threat is more dangerous and expensive:


  • Insiders know their way around your network.
  • Insiders know what valuable data they can steal.
  • Insiders have legitimate credentials, so their malicious actions can go undetected for a long time.


Due to these factors, insider attacks can persist for years, leading to remediation costs ballooning out of proportion. The 2020 Cost of Insider Threats: Global Report [PDF] by the Ponemon Institute states that the total average cost of an insider-related incident is $11.45 million.


Creating an efficient insider threat program rewards an organization with valuable benefits:


  • Reduced costs of an insider attack. An insider threat program maximizes your chances to detect and deter an attack quickly, minimizing the damage an insider can cause.
  • Compliance with standards, laws, and regulations. NIST Special Publication 800-53, NISPOM, the US National Insider Threat Policy and Minimum Standards, and other IT standards and regulations oblige organizations to develop and maintain insider threat programs.
  • Early detection of insider threats. Detecting insider threats is more challenging than detecting outside attacks. An insider threat program helps spot a threat before it becomes an attack and causes harm.
  • Fast and efficient response to an insider attack. An insider threat program clearly outlines the procedures, tools, and personnel responsible for mitigating a threat. With this knowledge, employees can efficiently handle a cybersecurity incident.

Case study: PECB Inc. Deploys Ekran System to Manage Insider Threats [PDF]

10 steps to create an efficient insider threat program


To help you get the most out of your insider threat program, we’ve created this 10-step checklist. Let’s take a look at 10 steps you can take to protect your company from insider threats.

Insider threat program checklist

1. Get ready to build an insider threat program


Preparation is the key to success when building an insider threat program and will save you lots of time and effort later. During this step, you need to gather as much information as you can on existing cybersecurity measures, compliance requirements, and stakeholders as well as define what results you want to achieve with the program.


Here’s what you should do:


  • Assess your current cybersecurity measures
  • Research IT requirements for insider threat program you need to comply with
  • Define the expected outcomes of the insider threat program
  • Form a list of stakeholders to involve

Read also: Insider Threat Statistics for 2021: Facts and Figures

2. Perform a risk assessment


Defining what assets you consider sensitive is the cornerstone of an insider threat program. These assets can be both physical and virtual: client and employee data, technology secrets, intellectual property, prototypes, etc. Performing an external or insider threat risk assessment is the perfect way to detect such assets as well as possible threats to them. It helps you form an accurate picture of the state of your cybersecurity.


Usually, the risk assessment process includes these steps:

5 steps to access risks

Once you’ve written down and assessed all the risks, communicate the results to your organization’s top management. It’s also a good idea to make these results accessible to all employees to help them reduce the number of inadvertent threats and increase risk awareness.

3. Estimate the resources needed to create the program


Developing an efficient insider threat program is difficult and time-consuming. Before you start, it’s important to understand that it takes more than a cybersecurity department to implement this type of program. To succeed, you’ll also need:


  • Administrative resources — Support from various departments in your organization and their involvement in developing your insider threat program
  • Technical resources — Deployment of dedicated insider threat management software along with reconfiguration of existing solutions and infrastructure
  • Financial resources — Money for purchasing cybersecurity software and hiring dedicated specialists

Gartner quote

Prepare a list of required measures so you can make a high-level estimate of the finances and employees you’ll need to implement your insider threat program. You’ll need it to discuss the program with your company management. 

4. Acquire support of senior management


At this step, you can use the information gathered during previous steps to acquire the support of your key stakeholders for implementing the program. The list of key stakeholders usually includes the CEO, CFO, CISO, and CHRO.


To gain their approval and support, you should prepare a business case that clearly shows the need to implement an insider threat program and the possible positive outcomes. Make sure to include the benefits of implementation, data breach examples in your industry (and their consequences), and ways that the insider threat program can help C-level officers in achieving their business goals.

Learn more about Insider threat management software

5. Create an insider threat response team


An insider threat response team is a group of employees in charge of all stages of threat management, from detection to remediation. Contrary to common belief, this team should not only consist of IT specialists. It should be cross-functional and have the authority and tools to act quickly and decisively.


When creating your insider threat response team, make sure to determine:


  • The mission of the insider threat response team
  • The leader of the team and the hierarchy within the team
  • The scope of responsibilities for each team member
  • The policies, procedures, and software that the team will maintain and use to combat insider threats

Insider threat response team

CEO of The Insider Threat Defence Group on the importance of collaboration and data sharing

6. Determine insider threat detection measures


Early detection of insider threats is the most important element of your protection, as it allows for a quick response and reduces the cost of remediation. That's why the ability to detect threats is often an integral part of PCI DSS, HIPAA, and NIST 800-171 compliance software.


To efficiently detect insider threats, you need to:


  • Monitor user activity and collect detailed logs of each user action within your network. Monitoring data helps security officers review suspicious sessions in real time, investigate incidents, and assess the overall state of cybersecurity. 
  • Manage user access to sensitive resources. This allows you to prevent unauthorized access and detect suspicious access attempts. 
  • Analyze user behavior to detect early indicators of a threat. User and entity behavior analytics (UEBA) is a tool that usually employs artificial intelligence algorithms to analyze normal user activity, create a baseline of behavior for each user, and notify the insider threat response team of suspicious actions.

Learn more about User Behavior Monitoring

7. Form incident response strategies


To act quickly on a detected threat, your response team has to work out common insider attack scenarios. The most important thing about an insider threat response plan is that it should be realistic and easy to execute. Don’t try to cover every possible scenario with a separate plan; instead, create several basic plans that cover the most probable incidents.


Your response for each of these scenarios should include:

Insider threat response scenarios

8. Plan incident investigation and remediation


To effectively manage insider threats, plan your procedure for investigating cybersecurity incidents as well as possible remediation activities.


Incident investigation usually includes these actions:


  • Collecting data on the incident (reviewing user sessions recorded by the UAM, interviewing witnesses, etc.)
  • Assessing the harm caused by the incident
  • Securing evidence for possible forensic activities
  • Reporting on the incident to superior officers and regulatory authorities (as required)


After the investigation, you’ll understand the scope of the incident and its possible consequences. Based on that, you can devise a detailed remediation plan, which should include communication strategies, required changes in cybersecurity software and the insider threat program.

Read also: 4 Cyber Security Insider Threat Indicators to Pay Attention To

9. Educate your employees


The contents of a training course will depend on the security risks, tools, and approaches used in a particular organization. However, during any training, make sure to:


  • Explain the reason for implementing the insider threat program and include examples of recent attacks and their consequences
  • Describe common employee activities that lead to data breaches and leaks, paying attention to both negligent and malicious actions and including examples of social engineering attacks
  • Let your employees know whom they should contact first if they notice an insider threat indicator or need assistance on cybersecurity-related issues


The final part of insider threat awareness training is measuring its effectiveness. To do this, you can interview employees, prepare tests, or simulate an insider attack to see how your employees respond. These actions will reveal what your employees learned during training and what you should pay attention to during future training sessions.

10. Review your program periodically


Creating an insider threat program isn’t a one-time activity. Insider threats change and become more elaborate and dangerous, and your program should evolve to stay efficient. Make sure to review your program at least in these cases:


  • At set intervals
  • Insider threat incident
  • Appearance of new compliance requirements or cybersecurity approaches
  • Changes in the insider threat response team

How can Ekran System help you implement an insider threat program?


Ekran System provides you with all the tools needed to protect yourself against insider threats. With Ekran, you can deter possible insider threats, detect suspicious cybersecurity incidents, and disrupt insider activity.


Note that Gartner mentions Ekran System as an insider threat detection solution in its Market Guide for Insider Risk Management Solutions report (subscription required).

Ekran System for insider risk management

You can manage user access granularly with a lightweight privileged access management (PAM) module that allows you to configure access rights for each user and user role, verify user identities with multi-factor authentication, manually approve access requests, and more. With these controls, you can limit users to accessing only the data they need to do their jobs. In this way, you can reduce the risk of insider threats and inappropriate use of sensitive data.


User activity monitoring functionality allows you to review user sessions in real time or in captured records. Using it, you can watch part of a user session, review suspicious activity, and determine whether there was malice behind or harm in user actions. 


You can set up a system of alerts and notifications to make sure you don’t miss any indicator of an insider threat. When Ekran System detects a security violation, it alerts you of it and provides a link to an online session. You can search for a security event yourself using metadata filters, or you can use the link in the alert sent out by Ekran System. 


Ekran System’s user and entity behavior analytics (UEBA) module is another feature that helps you detect insider activity. It assigns a risk score to each user session and alerts you of suspicious behavior. For example, the EUBA module can alert you if a user logs in to the system at an unusual hour, as this is one indicator of a possible threat.


Your response to a detected threat can be immediate with Ekran System. Upon violation of a security rule, you can block the process, session, or user until further investigation. Also, Ekran System can do all of this automatically.


These features allow you to deter users from taking suspicious actions, detect insider activity at the early stages, and disrupt it before an insider can damage your organization.


Whitepaper on insider threat program



The ten steps above constitute a general insider threat program implementation plan that can be applied to almost any company. You can modify these steps according to the specific risks your company faces.


With this plan to implement an insider threat program, you can start developing your own program to protect your organization against insider threats.