Insider Threat Best Practices from Industry
Hello, this is Derek A. Smith, Director of Cybersecurity Initiatives for the National Cybersecurity Institute at Excelsior College. Thanks for taking the time to visit our new insider threat blog. Insider threat is often not given the same attention as threats from the outside, but can cause tremendous damage to an organization. The purpose of this particular blog is to raise awareness of the risks of insider threat and to help identify the factors influencing an insider’s decision to act, the indicators and precursors of malicious acts, and the countermeasures that will improve an organizations chances of survivability and resiliency should they be burdened with insider threat attacks. With the insider threat landscape changing so quickly, we at NCI believe a blog is an effective vehicle for addressing current issues as they relate to the insider threat in a timely manner.
Let’s begin by talking about some best practices an organization can enact as they relate to the insider threat. Below are ideas that have proved effective for combating the insider threat. .
Insider Threat Incident Management
- Build upon security awareness training program to manage insider threat risk.
- Many organizations already have a security awareness training program that teaches employees how to recognize and handle potential security problems in the workplace. The organization can enhance this program by ensuring that it includes insider threat indicators. Be sure to include the best ways to report insider threat issues.
- Let your employees know you are monitoring their activity.
- Let employees and contractors know that activities are being monitored consistently across the organization and will be used to identify potential insider threats as part of the organization’s risk management program. The knowledge that they may be monitored is often a good deterrent to potential inside attackers.
- Some organizations have had success with letting all employees know when someone has been caught violating an organizational policy. Informing employees may deter others from malicious behavior.
- Organizations should monitor in order to better understand the environment and to further enhance audit capabilities
- When someone resigns, activate additional auditing that allows for monitoring what information they are accessing. Be sure to work with the legal, IT, and human resources teams to establish a clearly defined policy that protects employee privacy and legal issues
- Set up controls that log, monitor, and report when a large number of files are accessed in a short period of time. This could be an indication of someone gathering documents from an internal site.
- Monitor for system access while an employee is on leave or during odd hours. This could indicate an inside threat or that someone else is improperly using that employees credentials.
- Consider setting up a honey pot or honey net to detect malicious insiders. These are specially configured servers or networks used to detect rogue employees. They contain information that might tempt malicious insiders such as:
- Bogus company documents.
- Accounts that appear to have special meaning or functions.
- An appearance that the server performs some critical business function.
- Organizations should especially monitor privileged account holders. These individuals have much more access than the average user and know how to by past the security measures the organization has in place.
Finally, should an insider attack occur and an investigation ensues, be sure to conduct an incident after action review after the investigation is over. Use the after action review to determine what enabled the incident to occur and enact countermeasures to ensure it is not possible for it to occur again.
These are just a few strategies that organizations can use to identify and respond to insider threats. If you have other suggestions, please email and let us know.