Mitigating Insider Threats: Plan Your Actions in Advance


In the modern world, almost every company is exposed to insider threats in the form of either deliberate attacks or accidental data leaks. In any case, it’s best to get ready before all hell breaks loose. A risk mitigation plan for an insider attack prepares you for this situation and helps you reduce the damage.


In this article, we discuss risk mitigation plans – what they are, their purpose, their key elements – and best practices for insider threat protection.


What is a risk mitigation plan?


Risk management is a process that includes identifying, evaluating, prioritizing, and mitigating potential dangers facing an organization. It allows a company to prevent risks from becoming reality or cut losses if they do happen.


Implementing risk management is a requirement. There are several recommendations on how to establish risk management processes in an organization. The most comprehensive standards are created by NIST, ISO, and PMI.


Let’s examine one of the most essential components of risk management: mitigation.


A mitigation plan is a document that maps out options and actions to reduce the impact of a risk if it becomes reality. This plan aims to:

  • define the risks a company faces and their root causes
  • evaluate possible consequences and losses if those risks are realized
  • identify job positions and resources that are endangered or can be a source of threat
  • develop a set of tools and actions for the situation when a certain risk becomes critical
  • set up continuous risk management processes in the company


There are several ways to implement such a plan. You can create a standalone document dedicated to insider threats and mitigating data breaches; or you can implement a plan as part of a wider insider threat policy or a subsection of a corporate risk management policy.


You can find a lot of plan templates on the internet. Remember to adjust them to your organization’s specific needs and threats.

Key steps to mitigating a risk


When a hypothetical threat comes to life, it’s critical to respond fast and flawlessly. Response time is one of the key components in the cost of a data breach. Therefore, a company needs to be prepared for any possible situation.


In order to create a valid risk mitigation plan, you need to:

  • identify potential threats
  • evaluate and prioritize dangers
  • create a written mitigation plan


Let’s review the best practices to put this plan into action.

Identify risks


Defining what threats you face is the cornerstone of risk mitigation. The Project Management Institute defines six key stages of identifying risks:

  • Template specification. Before identifying threats, you should create a template for writing them down. As obvious as it may seem, a single template that considers all risk parameters shouldn’t be underestimated. It should include causes of risks, the time and place of their realization, possible effects, and affected resources.
  • Basic identification. At this stage, the security team (or any other team responsible for the process) defines basic threats. Classic brainstorming, interviewing experts, and SWOT analysis is good enough to discover potential dangers.
  • Detailed identification. At this stage, previous research results become the basis for more profound research and discovery of hidden risks. Interviewing team leaders and reviewing project documentation with the Delphi method or nominal group technique can provide more insights on the subject.
  • External cross-check. Up to this point, all research has been performed within a dedicated team. Now it’s time to start a discussion with other departments in the company to get an alternative view on the subject.
  • Internal cross-check. Validate that the risk list reflects all results of the public discussion and that you’ve made all necessary changes to the project scope.
  • Statement finalization. Turn your research results into formalized documents using the template you created in the first phase.

The six phases of risk identification

The six phases of risk identification.

Image credit – Project Management Institute

Risk evaluation


Any business, however small or large, faces too many risks to handle them all at the same time. For example, there’s always a possibility of a flood or an earthquake, and you need a plan of action in case they happen. But data misuse or stealth is much more likely. So you need to evaluate all risks in terms of probability and possible impact.


The easiest way to do that is by creating a risk probability/impact matrix. It’s basically a graph with two axes. The horizontal axis estimates the impact of a risk on your organization from trivial to extreme. The vertical axis represents the probability of an event, from rare to very likely. Depending on the cell where the risk lands, it gets a priority from low to medium to high.

External inputs, brainstorming, and research are especially useful for risk evaluation.

A risk probability/impact matrix

A risk probability/impact matrix.

Risk mitigation planning


Evaluating possible threats with a probability/impact matrix leaves you with a set of risks in the orange and red zones. These require a clear mitigation strategy.


As we’ve mentioned, you can search for a mitigation plan template on the internet or create your own. Note that each risk description should consist of:

  • a segment, e.g. subcontractors
  • affected assets, e.g. infrastructure server configuration, customer data, employees’ private information, etc.
  • risk description – we’ve already created this during the identification process
  • risk trigger – how we’ll know that the risk has occurred
  • response plan – link to a detailed set of action or direct brief description
  • response team – employees responsible for implementing the plan
  • responsible person – an employee (usually a security officer) in charge of risk monitoring and response
  • mitigation actions – a set of actions to decrease the probability of a risk and minimize its potential impact


Mitigating the risk of insider threats


Almost 70% of small and medium-sized businesses have already experienced a cyber attack. But large enterprises are at risk as well: cybersecurity breaches in 2018 at Tesla, Facebook, and Coca-Cola prove that.


Insider attacks are among the main causes of sensitive data and resource abuse. Let’s consider strategies to mitigate this threat.

Identifying insider threats


All insider threats can be identified by their source. There are two methods to identify the source of a risk:

  • Concentrate on those who have the means to attack. This is an access-based approach. Define who has the possibility to mess with your sensitive data and guard against them the most, regardless of their intent.
  • Concentrate on those who have motive. This approach is behavior-based. It’s about monitoring users who are disgruntled with the company or show suspicious behavior.


Malicious activity can be performed by anyone with access to your network: an average worker, an employee with privileged access (like a system administrator), a third-party vendor, or a business partner.


Start with studying the most common types of malicious insiders, their motives, and indicators of harmful intent. Then divide all potential attackers into several lists based on access and reasons for data theft. Don’t forget to include categories like recently fired workers and new subcontractors. It’s also good practice to set up a privileged account monitoring system to keep an eye on the most trusted employees.

Examples of typical insider threats


Studying security statistics and cases allows us to outline a few of the most common insider attacks. Strategies for dealing with these are a must for any good cybersecurity threat mitigation plan. Here are the key types of insider attacks:  

  • Data misuse. Any employee may use sensitive corporate data for personal reasons (e.g. getting information on friends and family members or stealing trade secrets to start their own business). In 2017, police in the UK disclosed 2,315 cases of misuse by officers in order to spy on people they knew or leak inside data to third parties.
  • Phishing. We’ve all received an email purporting to be from Facebook or a bank with a demand to send our credentials in order to verify an account. Despite the number of warnings not to act hastily, most people still click on such emails. Using phishing, in 2018 hackers breached New York Oncology Hematology and accessed private data of more than 128,400 patients and employees.
  • Malicious employee actions. Some employees have privileged access to company data. Abusing it in order to sell, leak, or compromise data takes a matter of minutes if an employee has the motive and skills. In 2018, Punjab National Bank lost 1.8 billion dollars because of the actions of an employee who abused his access to SWIFT transactions and transferred money to a third-party account.
  •  Malicious third-party actions. Company subcontractors form a considerable risk group, as they have access to sensitive data while staying out of the protected perimeter. In 2018, British Airways lost financial and personal data of 380,000 customers because of a third-party attack carried out through JavaScript on its website.

Insider threat response plan


As we’ve mentioned, response time is vital when talking about data security threats. The 2018 Cost of a Data Breach Study by the Ponemon Institute points out that in takes on average 197 days to identify and contain a data breach. A clear incident response plan and trained incident response team can significantly lower this number.


A well-thought-through response plan should include:

  • Positions and duties of each response team member. This team should include specialists from various departments: top management, IT, security, HR, PR, legal, customer service. This will allow you to handle all possible aspects and outcomes of an attack.
  • Information on threat response education. This document should establish a continuous educational procedure to keep your response team up to date on new types of threats and mitigation strategies. It’s best to involve a dedicated insider threat analyst to get extra insights.
  • Tools for attack detection and analysis. A clear understanding of what has happened and what type of data has been compromised is essential for response actions. The best way to stay informed is to deploy an insider threat protection solution with user monitoring, alerting, and reporting functionality.
  • Communication guidelines. When someone’s data is compromised, IT regulations require you to notify all people involved. This can be an organization’s clients and customers, employees, and partners. Draw up several notification messages and plan communication channels for each type of attack so you don’t waste time on it if disaster strikes.

Insider risk mitigation actions


Deploying an insider threat protection solution is a reliable way to mitigate an insider data breach.

Case study: US-Based Defense Organization Enhances Insider Threat Protection with Ekran System [PDF]

Dedicated software allows you to:

  • Manage employee identity and access: use two-factor and secondary authentication features to ensure that users who log into your system are really who they claim to be
    • manage critical and emergency access scenarios with one-time passwords that allow you to generate a unique password for accessing servers and sensitive data
    • implement PAM functionality, such as privileged account and session management (PASM) that provides temporary credentials for sessions initiated from your jump server. PASM makes stealing a privileged account difficult.
  • Monitor user activity. An insider can attack at any moment, so you need a continuous activity monitoring system. It should provide 100% visibility over anything happening in your network. You can set alerts on suspicious actions to catch troublemakers in the act and analyze records to see if there was malicious intent. If security has been breached, extensive session records allow you to estimate the damage.
  • Analyze reports and statistics. It’s crucial for such a solution to include a powerful reporting module to generate reports automatically or on demand. Typically, there are sets of embedded reports and some customization options.

Case study: PECB Inc. Deploys Ekran System to Manage Insider Threats [PDF]



Insider threats are a dangerous risk for any company. To manage possible risks, it’s worth dedicating a section in your risk mitigation plan to insider threats or developing a separate document. Developing a mitigation plan entails several important steps.


First, identify and prioritize all insider threats you face. Then, create a risk mitigation plan and a response team. Finally, deploy a monitoring solution to be aware of anything happening inside your network.


Ekran System is a good choice for detecting, preventing, and responding to any malicious internal activity. It helps you monitor your employees’ activity, including the activity of privileged users, records all data in indexed session video records with various metadata, and includes identity and access management tools and incident response functionality.