How to create the perfect insider threat programme


Barely a day goes by without hearing of another security breach and the subsequent implications for both the organisation in question and its employees. Nine times out of ten these breaches include the leak of sensitive information.

Notable household names such as Sony Entertainment, JP Morgan and eBay have all fell foul in one way or another to breaches by an internal source last year. 

February of this year saw the announcement of Anthem security breach – so should we start to place our bets on who will be next?

>See also: Twelve tips to combat insider threats

Research fielded by IS Decisions for the User security 2015 report revealed that a concerted effort by IT professionals will be made this year to address the issue of insider threat. 

In the UK, a substantial number of organisations (43%) already have an insider threat programme, but of those that are yet to implement a programme, 69% plan to do so this year. 

It’s obviously great to see that the intention is there to make these plans, but before rushing into anything it’s always best to take a moment to think about what it is you need to concentrate on. 

Naturally, each organisation will have different priorities, but the basics will always remain the same. It is also worth highlighting elements that may seem obvious but are often overlooked.

No matter the type or size of an organisation, these elements should always be considered.

What happens when someone leaves?

First thing’s first (or perhaps, last thing’s first), what does your organisation do when an employee leaves? Wish them well and not give it a moment’s thought? Previous research from IS Decisions revealed that more than a third of ex-employees still had access to a former employer’s data using their old login details.

However, only 24% of IT professionals were planning to incorporate an official employee exit process into their insider threat programme, showing a lack of awareness of this problem or impetus to address it.

Imagine if that employee you happily waved off now has a vendetta against you or your organisation. By allowing them continued access to systems such as email, network and other databases, you’re simply giving them free reign to cause all sorts of potential havoc.

Ex-employees are a magnitude more likely than the current ones to have reason for malicious intent and have no need for access to your network, so why let them?

>See also: The cyber enemy within: Rise of the insider threat

The Sony Entertainment breach is the perfect example to learn from, where ex-employees were reportedly the source of one of the biggest corporate data breaches of all time.

Overlooking this aspect of an insider threat programme could be disastrous, yet it couldn’t be easier to ensure a process is set in place to remove network access once a user’s employment period ends. So why is it that a minority of organisations are yet to take this into consideration?

Zero-trust is key

An excellent mandate to work with in organisational security is to ‘never trust, always verify’. Known as the zero-trust model, this mind-set promotes the idea of never trusting, and always verifying a users access to the network.

Although this may sound unnecessarily strict, it does not need to impact the user’s experience in any way. All you are doing as an organisation is verifying access at every possible point and therefore significantly reducing the vulnerable surface area for attack.

Honour good employee behaviour

Not only will the zero-trust model ensure a deeper level of user security within the organisation, it will likely have an additional benefit of reinforcing positive security behaviour amongst employees.

It’s common sense and basic human nature to assume that if a user knows the difference between positive and negative user behaviour they are far more likely to lean towards acceptable behaviour. 

We know that the majority of IT professionals plan to include training and education in their insider threat programme, however the best and most effective awareness building is done on the job.

It is easier to expect a user to pay attention to a rule that is reinforced on a daily basis than a written policy they are expected to read and remember amongst a long list of documents they see on joining the company, or a one-off training session they are asked to attend.

Alert, alert, alert

As previously mentioned, an organisation will have far more of an impact in terms of user education if it happens in real time. The same goes for user activity monitoring, however there are two elements to this.

Firstly, in on the user side, if your organisation’s employees are sent alerts when they act in a manner that could be deemed suspicious they are far more likely to pay attention. What’s more, if this is in fact malicious behaviour, a real-time alert could stop them in their tracks.

>See also: Insider threat programmes set to double as security breaches persist

Secondly, on the administrator side, the ability to both monitor and track behaviour gives further insight into how users behave on the network. Further to this, an alert to suspicious behaviour allows the administrator to quickly and effectively stop a potential threat before any significant damage is done.

By including all of these elements within an organisation’s insider threat programme you strongly reduce the chances of being the next security breach story in the news. 


Sourced from François Amigorena, CEO, IS Decisions

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics