Organizations are coming to terms that insider threats can be one of the most serious security challenges they face.
Developing a program to mitigate internal threats has become more urgent with the growing complexity of workplaces and the fact that insider threats are becoming more difficult to detect, said a report from consulting firm Deloitte. The threats can include fraud, espionage, IT sabotage and theft of intellectual property.
Mitigation programs can help organizations strengthen their position against internal threats by providing early detection of threats and a quick response. But the study points out threats are not limited to information security, and, by looking at insider-threat mitigation broadly, C-level executives can help reduce the level of risk to their organization.
There are several actions companies can take when designing, creating and deploying a formal insider-threat mitigation program:
• Organizations need to define potential insider threats. These can be employees, contractors or vendors that commit malicious or unintentional acts using their trusted and verified access to systems.
• Few organizations have a specific working definition of such threat sources, partially because security budgets have historically focused on external threats. Defining potential insider threats is a critical first step to creating a program.
• Enterprises also need to define their “risk appetite,” and identify the critical assets that need to be protected. What is the organization’s tolerance for the loss of or damage to those assets?
• Companies should identify key threats and vulnerabilities within the business and its processes. The development of the program can then be shaped to address these specific needs and types of threats, as well as taking into account the organization’s culture.
The insider threat mitigation program should have a champion, a broad group of stakeholders and support from executive leadership. Companies should consider forming a cross-functional working group that ensures the proper level of buy-in across departments and stakeholders. This group should help address common concerns and should support the creation of messaging to the entire organization.
The program should not rely solely on technical solutions. It should also include critical business processes, such as segregation of duties for various functions, nontechnical controls, organizational change management components and security training programs.
Organizations should also establish routine and random reviews of privileged functions, which are commonly performed to identify insider threats across a range of areas. They should trust their employees, but balance that trust with verification to avoid providing unlimited access and single points of failure.
Organizations also need to “stay a step ahead.” Insiders’ methods, tactics and attempts to cover their tracks constantly evolve, which means the insider-threat program should continually evolve as well.