Insider Threat Programs: Getting Started

Risk Glossary

What is an insider threat program?

An insider threat is when someone with privileged, internal access to a company’s data and resources takes actions – intentionally or otherwise – that put the company at risk. Due to their privileged position and legitimate access to company resources, these insiders pose a significant risk to corporate cybersecurity.

In 2020, 60% of data breaches involved an insider, making an insider threat program a priority for any organization. However, identifying and managing these insider threats requires a careful, measured approach by an organization. An effective insider threat program balances the risks of insider threats with the needs of the company and its employees.

How to build an insider threat program

An insider threat can be anyone with access to an organization’s data or systems: employees, contractors, and third-party partners. What makes insider threats so difficult to manage is that the same access and permissions that they require to do their jobs can also be used when taking actions that hurt the organization. Managing the risks associated with insider threats requires a multi-stage process. To start setting up an insider threat program, take the following steps.

  1. Identify what is most important: An insider threat management program should be focused on what is most important to the company. Consider which data is the most valuable or potentially damaging if breached and focus efforts there.
  2. Assemble the Insider Threat Working Group: An insider threat working group should include all potential stakeholders. This includes human resources, legal, security, and any others that would be directly involved or impacted by an insider threat.
  3. Get executive buy-in: Executive support is essential to a sustainable and effective insider threat program. Gain executive buy-in by collecting data on the potential impacts of insider threats and the particular risks to your organization.
  4. Define insider triggers: Not all data breaches are driven by malicious intent, and not all insider threats are created equal. Effective insider threat management requires a complete understanding of what causes an insider to take the actions that place the company at risk.
  5. Establish workflows: Insider threat management should be a concrete, repeatable process. Develop strategies for addressing every stage of this process, including monitoring, investigation, remediation, and response.
  6. Leverage existing resources: Most organizations don’t have the resources required to staff a full team focused solely on insider threat management. However, by leveraging security ambassadors and making strategic investments in solutions, companies can achieve a high level of protection with a fraction of the resources.
  7. Create a healthy security culture: Ignorance of security policies and procedures and an adversarial relationship with the security team can turn employees into insider threats. Educating employees about security policies and processes, how they work, and the goals that they achieve and getting widespread buy-in can eliminate many insider threats before they become a problem.
  8. Implement technology: Waiting until an insider threat scenario occurs is too late to start data collection. A company should deploy security tools that grant them comprehensive visibility into their data so that they have the data that they need when they need it.

By working through these steps, a company can lay the groundwork for an insider threat program. However, managing insider threats is an ongoing process, not a one-time exercise. An organization needs to be constantly vigilant in order to detect the signs of an insider threat and react in time.

To learn more about developing an insider threat program, check out Code42’s webinar on starting an insider threat program and other critical considerations.

Effectively protecting against insider threats

Insider threat management is a challenging problem to solve. On the one hand, waiting until an incident has occurred to start responding means that you are too late and the damage has likely already been done. On the other, proactively taking excessive measures to shut down insider threats can damage employee productivity and poison a company's employee experience. Instead, Code42 recommends taking a “right sized” approach to responding to insider threats.

This involves positioning the organization to respond when needed without jumping the gun. Critical components of a right sized response to insider threats are comprehensive data visibility and clear incident response policies. These enable a company to detect a potential data breach in its early stages and take action to quickly terminate the threat before any damage is done.

Learn more about how to build an effective insider threat program