How to Build an Insider Threat Program [12-step Checklist]


A functional insider threat program is a core part of any modern cybersecurity strategy. Having controls in place to prevent, detect, and remediate insider attacks and inadvertent data leaks is a necessity for any organization that strives to protect its sensitive data.


A functional insider threat program is required by lots of regulations worldwide. For example, NISPOM Change 2 makes it obligatory for any subcontractor working with the US Department of Defense to implement an insider threat program. However, designing an insider threat program that is both effective and efficient can be hard.


In this article, we’ll give you some tips and tricks on how to build an insider threat program. We’ll discuss the dangers of malicious and inadvertent insiders and talk about ways to detect, prevent, and remediate insider attacks.


Who can carry out an insider attack?

Outsiders and opportunistic attackers are considered the main sources of cybersecurity violations. But there are many reasons why an insider threat is more dangerous and expensive:


  • Insiders know their way around your network.
  • Insiders know what valuable data they can steal.
  • Insiders have legitimate credentials, so their malicious actions can go undetected for a long time.


Therefore, the first step to creating a defense mechanism is getting to know what you’re up against.


Insider threats can come from four main groups of employees:


  • Privileged users. These are usually administrators and database operators who have direct and unrestricted access to sensitive information. This is probably the most dangerous group, since they’re the most trusted insiders. Instances of data theft and fraud for self-gain are not a rarity, and system administrators’ mistakes can have severe consequences.
  • Remote subcontractors. Remote employees and third-party partners have access to your sensitive data. The catch is that while you may be confident in your own security, you don’t actually know much about your partners’ security policies. Thus, it’s important to always monitor the actions of remote subcontractors and make sure they aren’t misusing your data.
  • Former employees. Disgruntled employees can sometimes try to take revenge on a company after leaving. Sometimes, freshly terminated employees may try to steal your data and use it to start a competing business or take it to your competitors.
  • Inadvertent insiders. Not all insider attacks are deliberate. Sometimes employees leak sensitive data online completely inadvertently, for example by sending an email to the wrong recipient. Such mistakes can go undetected for a long time, causing damage that translates into severe remediation costs when the incident eventually comes to light.


No matter the reason why malicious insiders commit their crimes, all insider attacks have two things in common – they’re very hard to detect and very costly to remediate. This is because employees have legitimate access to sensitive data, which makes it extremely difficult to distinguish between misuse and actual work routines.


Due to the difficulty of detection, insider attacks can persist for years, which eventually leads to remediation costs ballooning out of proportion. An effective insider threat program helps to mitigate that risk and reduce expenses on covering losses from a data breach.


Insider threat program – 12 crucial steps


Now that we’ve established the dangers of insider threats and essential government requirements, let’s look at standard steps to establishing an insider threat program for your organization.


Here’s a checklist for creating an insider threat program:


  • Research cybersecurity requirements in your industry
  • Form a group of interested stakeholders
  • Determine critical assets
  • Perform an insider threat risk assessment
  • Create a written insider threat policy
  • Appoint a manager responsible for dealing with insider threats
  • Conduct employee background checks
  • Educate your employees
  • Monitor user access
  • Monitor user actions
  • Form a remediation strategy
  • Revise your insider threat program


Check-list for creating an insider threat program includes 12 steps.


There are 12 crucial things that you need to do while building an insider threat program:


1. Research cybersecurity requirements in your industry


Today, data has become one of the most valuable assets of any company. There are laws and recommendations telling you how to protect your data and what to do in case you’ve been breached. These documents usually include a dedicated section on or separate controls regarding an insider threat program.


The most famous cybersecurity regulation at the moment is, of course, the General Data Protection Regulation (GDPR). Published in 2018, GDPR requires any company working with EU residents to strengthen their security standards. It also increases penalties for non-compliance.


Cybersecurity requirements may differ depending on the industry and the type of data you store. The strictest regulations are imposed on the medical (HIPAA) and financial (Sarbanes-Oxley Act) institutions and public offices and their partners (NIST, NISPOM). If you work in a different area, look up the relevant regulations in order to get some ideas for your insider threat program.


2. Form a group of interested stakeholders


Creating an insider threat program is often considered an expensive and low-priority task, especially in companies which believe they aren’t at risk of an insider attack. Therefore, the first step toward building an effective program is gaining the support of your company’s top management.


It’s good practice to start a discussion on an approach to an insider threat program with head officers from various departments of your company.


3. Determine critical assets


Defining what assets you consider sensitive is the cornerstone of an insider threat program. These can be both physical and virtual assets: client and employee data, technology secrets, internal documentation, policies, servers, prototypes, etc.


When identifying data worth protecting, you can ask for advice from your shareholders and department managers. For example, accountants know best what financial information shouldn’t fall into the wrong hands, sales managers can tell what client data they collect and store, and the IT department can point out vulnerabilities in the network.


4. Perform an insider threat risk assessment


Companies often use regulations as a blueprint for implementing security controls. They treat requirements as a checklist to be followed while rarely considering the impact each control has on their business.


A healthier approach is to use risk assessment to form an accurate picture of the state of your security, vulnerabilities, and potential threats, then implement insider threat detection based on this. In terms of insider threats, you need to audit all your sensitive data and determine which parts are most vulnerable and which attacks on which parts would have the biggest impact on your organization. Then you need to formulate a security strategy and start prioritizing implementation of your security controls based on the results of this risk assessment.

Learn more about Insider Threat Management Software

5. Create a written insider threat policy


A written insider threat policy is a great way to formalize your program and familiarize your employees with it. This policy should contain clear descriptions of all rules and measures that you implement so your employees have a clear idea of what they can and can’t do.


A written insider threat policy is also a great tool for enforcing an insider threat program and controlling its implementation. One caveat is that it needs to be enforced from top to bottom in order to be effective. Make sure that your upper management adopts and follows the same rules that the rest of your employees are required to follow. Also, don’t forget to revise the policy in order to keep it up to date.


You can even find insider threat program templates on the internet. These are generic, so don’t forget to adjust them to your needs.


6. Appoint responsible personnel


It’s important to clearly establish who’s responsible for implementing your insider threat program and dealing with insider threats. Unless you’re a large corporation, you don’t need a whole department to fill this role. Instead, a single competent upper-level manager with the power to enforce the implementation and execution of security controls should be enough.


Another thing you may consider is creating a general insider threat protection strategy for the whole organization but letting heads of departments decide how to implement protection measures in a way that minimizes the impact on the established workflow within their own departments.


7. Conduct employee background checks


Background checks are not a panacea. They can’t fully mitigate the risk of insider threats. However, they’re an important initial step in reducing the likelihood of insider threats, as they allow you to weed out the riskiest applicants when hiring. You can single out a potential attacker by paying attention to indicators of a typical malicious insider.

It’s also important to perform background checks not only when hiring but periodically for all employees. Unexplained changes in the financial position of an employee or their family can be a telltale sign of an insider threat. In addition, any employee who has received a notice of termination or expects to be terminated in the near future poses a heightened risk of committing insider attacks.


You can single out a potential attacker by paying attention to indicators of a typical malicious insider.


8. Educate your employees


When implementing an insider threat program, it’s always important to get your own employees on your side. To do this, you need to explain to them the dangers your company faces, for instance when anyone writes their password on a piece of paper and sticks it next to their monitor.


Cybersecurity awareness training can significantly reduce the likelihood of inadvertent data leaks and misuse of sensitive information. It’s also important to inform your employees about phishing techniques that perpetrators can use to get control over accounts. Informed employees are extra careful, reducing the risk that malicious perpetrators will be able to get into your system with compromised credentials and wreak havoc from within.


9. Monitor user access


User access management is one of the cornerstones of insider attack prevention and detection. Additional authentication options allow you to distinguish between users of shared accounts and allow you to make sure that the right person is authenticating under the right account.


It’s worth remembering several simple rules of access control:


  • Make sure that each account has a unique, strong password
  • Change passwords every 90 days or implement a one-time password tool
  • Prohibit password sharing
  • Prohibit shared accounts
  • Use more than one authentication tool for privileged users
  • Use the principle of least privilege when creating new user accounts (restrict access unless needed)


Access management software by itself is more about prevention than detection. While unusual access patterns can be an indicator of unauthorized access, this is by no means a sure method. Usually, malicious insiders use legitimate credentials to commit attacks during their usual work hours, and the only way to detect those is to know exactly what your users are doing.


User access management is one of the cornerstones of insider attack prevention and detection.


10. Monitor user actions


User activity monitoring is the most powerful tool in your arsenal for fighting insider threats. Using dedicated monitoring software allows you to see every user action in your network, making it easy to distinguish between legitimate work and malicious actions.


User action monitoring solutions can alert you to suspicious events, acting as great detection tools. Gathered data can be analyzed and used for investigations or as evidence in court. It’s often hard to prove that a person is actually guilty of an insider attack. User action monitoring solutions will allow you to prove it.


11. Form a remediation strategy


For insider threat protection, you also need a remediation strategy. Even if you have the proper tools and controls in place, you still need to have procedures planned that will allow you to quickly respond to incidents and immediately mitigate damage.


The most important thing about a remediation plan is that it should be realistic and easy to execute. Don’t try to cover every possible scenario with a separate plan; instead, create several basic models that cover a range of potential incidents and are simple enough to put into practice.


Another thing you may consider is creating an incident response team. It should include several employees who have appropriate training in minimizing losses. Contrary to common belief, this team should consist not only of IT specialists but should also include a lawyer, a PR manager, and a security officer. Basically, they are the Avengers of your company.


An incident response team should include not only IT specialists but also a lawyer, a PR manager, and a security officer


12. Revise your insider threat program


Insider threat protection is a continuous process that doesn’t end with implementing the program. Cyber attackers (both insiders and outsiders) are becoming more inventive day by day. In order to keep your program up to date, you should revise it at least once a year.  Twice a year would be optimal. In addition, keep an eye on new best practices and standards and investigate breaches that happen in your industry.

Case study: US-Based Defense Organization Enhances Insider Threat Protection with Ekran System [PDF]



The twelve points above constitute a general insider threat program plan that can be applied to almost any company. You can modify these steps according to the specific risks that your company faces.


Nowadays, an insider threat program is a must even for the smallest companies. There’s a myth that creating such a program is a costly affair. But there are solutions on the market that provide a great set of features for an affordable price. For example, Ekran System helps with insider threat prevention by delivering access and identity control tools, full-featured user action and privileged user monitoring with recordings of any action taken inside the protected perimeter, and an essential incident response tool set. Coupled with its flexible licensing scheme, Ekran System insider threat protection software can be an effective tool for enhancing your insider threat program.