Industry Insights

4 Steps to Create an Insider Threat Strategy

5 min Read

Todd Thorsen

Director, Governance, Risk Mgmt & Compliance

The increased need for collaboration as your employees work from home could be putting your organization’s data at risk. Our study found that 37% of workers use unauthorized apps daily while 26% use them weekly to share files with colleagues. Plus, 36% of workers believe that the increased emphasis on file-sharing has made them more complacent about data security. So, how do you protect your data and your business without stifling your company culture and employee productivity? It starts with building an effective insider threat program. Here are four foundational steps to creating a program that will foster collaboration without compromising the safety of your data. 

Gain support from the top down.

Gaining robust support and buy-in for your insider threat program is the essential first step to protecting the culture of trust within your organization. Support from key stakeholders at all levels will also help you navigate roadblocks and other issues as you create, implement and manage your insider threat program. 

Start at the top by getting the C-suite up to speed on the types of threats that exist, how they could affect the organization, and your strategy to mitigate the risks. After gaining support and funding, an effective insider threat program relies on real-time partnerships between security, IT, HR, legal and other teams within your organization. These different groups are essential to building insider risk management processes around your highest-risk scenarios, such as employee onboarding and offboarding, new product development and organizational changes like M&A. With their personal and professional interest established, focus on clearly defined accountability — what each stakeholder is accountable for delivering or executing in the overall insider threat program.

Focus on monitoring the right things.

It sounds obvious, but it bears repeating because too many companies get this step wrong: Make sure your insider threat program is focused on monitoring the right things — not looking in the wrong direction or trying to look in every direction. Here are considerations to help you focus your insider threat program:

  • Identify your regulated data. Clearly defining regulated data relevant to your organization gives you a solid starting point for what your insider threat program needs to protect. As you build out your insider threat program to address regulated data, you may expand to include non-regulated, unstructured data — your trade secrets, IP and other proprietary and sensitive information that drives your business.
  • Identify your biggest risks. Once you know what you’re protecting, work on understanding what you’re protecting that data from. In most organizations, the biggest insider threat risks center on departing employees, onboarding employees, access privileges to high-value data, and major organizational changes like an M&A.
  • Focus on the data — not the people. Many companies’ security programs focus on employee actions and use tools like user and entity behavior analytics (UEBA). This approach has implications on employee privacy and culture — and it’s simply the wrong focus. It’s the data you’re responsible for protecting. You don’t need to see everything your employees are doing on their web browsers — you just need to see web browser activity that touches your protected data.

Build a program focused on seeing what matters most.

Once you set the focus of your program, it’s time to set your sights on the data that matters most. There is no single tool that provides all the capabilities you need to protect every type of regulated, valuable or sensitive data in your organization. However, an effective insider threat program will complement an overall data security strategy with a combination of security tools that each play essential complementary roles. In general, insider threat programs typically consist of tools that fill three different functions:

  • Logging and alerting: Make sure you are capturing all relevant logging activities (this is sometimes tricky with SaaS applications) and set up alerts for activities deemed riskier.
  • Special tools: Depending on the technology implemented, you may get additional alerts, risk ranking or integrated workflows to help guide your set up.
  • Defined processes: Technology can’t solve all our problems, and sometimes the best program starts with a manual process. This could include an onboarding or offboarding checklist, a periodic audit of privileged user activity and employee training.

Keep in mind there is no one-size-fits-all formula for an insider threat program. The most effective programs build in flexibility and agility. This includes allowing for additional context and accounting for the potential of human error. It also includes incorporating other stakeholders (legal, human resources, managers, etc.) into the program to ensure you are addressing risk appropriately as it changes over time. 

Communicate, communicate, communicate.

Finally, no matter how you decide to build out your program, transparency is a critical ingredient in ensuring efficacy from a data protection standpoint and trust from a company culture standpoint. Make sure your employees understand what you’re monitoring (and what you’re not), why you’re doing it, what they can and can’t do, and why it matters. It’s important that your employees understand how data risk can impact their day-to-day workflows and jeopardize the success of the business. It’s also important that they recognize how a smart approach to data protection does not inhibit their creative, productive and collaborative ways of working.

Todd Thorsen

Todd Thorsen, CISSP, CISM and CIPP/US, is a director of governance, risk mgmt and compliance at Code42. Previously, Todd led the enterprise third-party security team, where he was responsible for third-party security, privacy and compliance across all retail, banking and healthcare operations.