Ekran System Blog

News, opinions, and industry insights

How to Build an Insider Threat Program


A functional insider threat program is a core part of any modern cybersecurity strategy. Having controls in place to prevent, detect, and remediate insider attacks and inadvertent data leaks by your own employees or subcontractors is a necessity for any organization that strives to reliably protect its own sensitive data.

How to build an insider threat program

Many companies recognize the importance of reliable insider threat protection and thus employ robust insider threat programs. Having a functional insider threat program is a requirement to comply with many regulations both in the US and worldwide (for example, NISPOM Change 2 makes it obligatory for any subcontractor working with department of defense to implement an insider threat program). This compels even small companies to take insider threats seriously.


However, it can be hard to actually establish an insider threat program that is both effective and efficient. The benefits of a functional insider threat program for your organization can be hard to quantify, which leads companies to under-finance their programs and often take the wrong approach to implementing them based on compliance requirements rather than risk assessment.


In this article, we’ll give you some tips and tricks on how to build an insider threat program that’s both effective and efficient in terms of costs and worker-hours required. We’ll discuss the dangers of malicious and inadvertent insiders and talk about ways to detect, prevent, and remediate insider attacks. Before we go into details, however, the most important thing we need to discuss is the approach you need to take when establishing your insider threat program.


The right approach is the key


The key to creating an insider threat program is going about it with the right mindset. Companies often don’t consider insider threat protection to be worthwhile, mainly because they overestimate the costs and underestimate their own vulnerability. There are two things that you need to recognize when it comes to insider threats:


Recognize that you’re a target. Any company can be the subject of insider attacks, regardless of its size and the type of business it does. Sure, there are some industries with increased risks of insider threats, such as healthcare, education, and finance, but this doesn’t mean that if you’re working in retail you’re safe. Your own employees and subcontractors are always in a position to take advantage of your sensitive data, and you need to recognize this.


Moreover, even without malicious intent, employees can leak or damage data inadvertently. The ability to quickly detect and deal with such incidents is crucial for minimizing damage.


Recognize that the benefits far outweigh the costs. Data theft and data leaks can be extremely costly. They often result in high remediation costs, damages to reputation, and losses for customers, and sometimes even fines and legal actions against your company. The only way to minimize damages is to quickly detect insider attacks and immediately take actions to remediate them. Being prepared and having the ability to act quickly will save you a lot of money in the long run.


Recognizing the importance of an insider threat program is only the first step. It’s also important to understand how to establish and implement such a program based on your own unique situation.


Use the results of a risk assessment as the basis for your insider threat program


Companies often use regulations as a blueprint for implementing security controls. They treat requirements as a checklist to be followed while rarely considering the impact each control has on their business.


A healthier approach is to use risk assessment to form an accurate picture of the state of your security, vulnerabilities, and potential threats, and then implement security controls based on this. In terms of insider threats, you need to audit all your sensitive data and determine which parts of it are most vulnerable and which attacks on which parts would have the biggest impact on your organization. Then you need to formulate a security strategy and start prioritizing implementation of your security controls based on the results of this risk assessment.


Why are insider threats so dangerous


An important part of risk assessment is understanding threats your company faces. We talk a lot about the danger of insider threats without exploring who exactly these malicious insiders are and why they’re so dangerous.


Insiders can be divided into four main sample groups:


  • Privileged users. These are usually administrators and database operators – in other words, people who have direct and unrestricted access to sensitive information. This is probably the most dangerous group of malicious insiders, since it’s the most trusted. Instances of data theft and fraud for self-gain are not a rarity, and mistakes by system administrators can also have severe consequences.
  • Remote subcontractors. Every company works with remote employees and third-party partners. Often times, these parties have access to your sensitive data. The catch is that while you may be confident in your own security, you don’t actually know what the state of security is on their side. Thus, it’s important to always monitor the actions of remote subcontractors and make sure they aren’t misusing your data.
  • Former employees. Disgruntled employees can sometimes try to take revenge on a company for perceived wrongdoing. Sometimes, freshly terminated employees may try to steal your data and use it to start a competing business or take it to your competitors. In any case, any employee who has received a notice of termination or expects to be terminated in the near future poses a heightened risk of committing insider attacks. 
  • Inadvertent insiders. Not all insider attacks are deliberate. Sometimes employees leak sensitive data online completely inadvertently, for example by sending an email to the wrong recipient. Such mistakes can go undetected for a long time, similar to deliberate insider attacks, causing damage that translates into severe remediation costs when the incident eventually comes to light.


There are various reasons why malicious insiders commit their crimes. Some try to steal big chunks of data in order to sell it on the black market; others prefer committing small-scale fraud for years without being noticed. Your competitors can bribe and blackmail your own employees to involve them in industrial espionage.


In other instances, employees are trying to take revenge on a company or make a political statement. Sometimes, an insider attack can even be attributed to cyber terrorism, where a perpetrator tries to inflict as much damage as possible.


No matter the reason, all insider attacks have two things in common – they’re very hard to detect and very costly to remediate. This is because employees have legitimate access to sensitive data, which makes it extremely difficult to distinguish between misuse and actual work routines. Due to the difficulty of detection, insider attacks can persist for years, which eventually leads to remediation costs ballooning out of proportion.


Insider threat program – seven crucial steps


Now that we’ve established the dangers of insider threats and the benefits of an insider threat program, let’s look at a standard insider threat program template.


There are seven crucial things that you need to do to establish an insider threat program:


Create a written insider threat policy


A written insider threat policy is a great way to formalize your insider threat program and familiarize your employees with it. This policy needs to contain clear descriptions of all rules and measures that you implement, and needs to give your employees a clear idea of what they can and can’t do.


A written insider threat policy is also a great tool for enforcing an insider threat program and controlling its implementation. One caveat is that it needs to be enforced from top to bottom in order to be effective. Make sure that your upper management adopts and follows the same rules that the rest of your employees are required to follow.  


Designate responsible personnel


It’s important to clearly establish who’s responsible for implementation and execution of your insider threat program. Unless you’re part of a large corporation, this doesn’t mean that you need a whole department to fill this role. Instead, a single competent upper-level manager with the power to enforce implementation and execution of security controls should be enough.


Another thing you may consider is creating a general insider threat protection strategy for the whole organization, but letting heads of departments decide how to implement protection measures in a way that minimizes impact on the established workflow within their own departments.


Conduct background checks


Background checks are not a panacea. They can’t fully mitigate the risk of insider threats. However, they’re still an important initial step in reducing the likelihood of insider threats occurring, as they allow you to weed out the most risky applicants when hiring.


It’s also important to perform background checks not only when hiring, but periodically for all employees. Unexplained changes in the financial position of an employee or their family can be a telltale sign of an insider threat.


Educate your employees


When implementing an insider threat program, it’s always important to get your own employees on your side. To do this, you need to explain to them the dangers your company faces and the measures you’re taking to mitigate them. If your employees know that the well-being of the whole company, and by extension their livelihoods, depends on them following certain cybersecurity practices, they’ll be much more inclined to do so.


Cybersecurity awareness training also reduces the likelihood of inadvertent data leaks and misuses of sensitive information. When employees know about potential risks, they’re often extra careful and double check everything they do. It’s also important to inform your employees about various phishing techniques that perpetrators can use to get control over their accounts. Having informed employees reduces the risk that malicious perpetrators will be able to get into your system with compromised credentials and wreak havoc from within.


Monitor user access


User access control is one of the cornerstones of insider attack prevention and detection. Additional authentication options allow you to distinguish between users of shared accounts and allow you to make sure that the right person is authenticating under the right account.


It’s worth remembering several simple rules for access control:


  • Make sure that each account has a unique, strong password
  • Prohibit password sharing
  • Prohibit shared accounts
  • Use the principle of least privilege when creating new user accounts (restrict access unless necessary)


Access management software by itself is more about prevention than detection. While unusual access patterns can be used as an indicator of unauthorized access, this is by no means a sure thing. Usually, malicious insiders use legitimate credentials to commit attacks during their usual working hours, and the only way to detect those is to know exactly what your users are doing.


Monitor user actions


User action monitoring is the most powerful tool in your arsenal for fighting insider threats. It allows you to see everything your users are doing from their own point of view, making it easy to distinguish between legitimate work and malicious actions.


User action monitoring solutions can alert you to suspicious events, acting as great detection tools. Gathered data can be analyzed and used for investigations or as evidence in court. It’s often hard to prove that a person is actually guilty of an insider attack. User action monitoring solutions will allow you to prove it.


Of course, with the steep prices of many user action monitoring solutions, smaller companies often find themselves questioning whether they’re worth the investment. In reality, there are solutions on the market aimed at both small companies and large enterprises that provides both a great set of features and an affordable price. One such solution is our very own Ekran System, which provides both full-featured user action monitoring software and a slew of access control options to create a complete package for effective insider threat prevention – coupled with flexible and affordable pricing.


Form a remediation strategy


For insider threat protection, the last but not least thing you need to do is remediation. Even if you have the proper tools and controls in place to prevent, detect, and investigate insider attacks, you still need to have procedures planned that will allow you to quickly respond to incidents and immediately mitigate damage.


The most important thing about a remediation plan is that it should be realistic and easy to execute. Don’t try to cover every possible scenario with a separate plan; instead, create several basic models that broadly cover a range of potential incidents and are simple enough to be practical. Don’t forget to appoint a specific employee to be responsible for enacting your insider threat remediation strategy so as to avoid confusion when an incident actually hits.


Insider threat program – easier than you think


The seven points above constitute a general insider threat program plan that can be applied to almost any situation. However, each company is unique and you should always build an insider threat program that fits your own organization. This is why we encourage you to take the template from this article and modify it according to the risks your own company faces.