Insider threat detected: now what?

Recent research from BM’s 2016 Cyber Security Index, as just one example, stated that 60% of the year’s breaches were caused by an insider threat. It’s a problem that is here to stay – and furthermore is likely to grow.

There are different levels to insider threats. This can range from the malicious outsider that has found a legitimate door left open to your network, through to the vindictive employee sharing confidential information.

There’s also the lost laptop or the malicious link clicked by an unaware employee – which can catch out even the most vigilant.

>See also: How to boost employee awareness in the age of the insider threat

There are dozens of pieces of writing regarding the insider security threat, but very little has been written about what happens once you uncover an issue within your network.

When dealing with an issue that can range from a lost memory stick through to corporate espionage, it’s vital to have a clear, structured plan to deal with a potentially damaging situation as efficiently as possible.

There are eight steps every company should take once this happens to mitigate the damage. Having the right technology in place is vital, but get the next steps wrong and that investment could well be for nothing.

Partner up with HR

First off, in an ideal world you would have obtained HR buy-in on processes around dealing with the insider threat before anything bad happens.

Of course, we don’t live in an ideal world, so the first step is notifying HR and working together to form a process.

Back up your actions with documentation

Ensure that there are ample security policies and/or employee agreements that back up any actions that may take place due to insider threat activity.

>See also: Why insider threats are the next big security challenge

Acceptable use policies, information security policies, and privacy policies – and any exceptions – must be tracked and employees should sign a form stating that they understand and agree to adhere to the policies. This supplies a strong legal footing for any following actions.

Classification is key

Once an incident stemming from an insider threat is declared, triage must take place very quickly.

Understand – as much as possible – whether the suspicious activity is intentional or not.

A user attempting to pilfer out data intentionally should be handled differently than a user who downloads malware accidentally – and it doesn’t pay to get this decision wrong.

Prioritise incidents accordingly

You need rules that outline timelines for dealing with an insider threat. In order to develop these timelines, you must first prioritise your incidents.

Depending on the value of the compromised information assets, the privilege level of the user, and the action being taken this can then be put together.

Decide on a mitigation plan

Next, you should devise a process based on priority level, established processes and HR agreements.

Disciplinary measures, such as seizure of all of the user’s company assets, suspension of employment, or dismissal may be discussed.

Time it right

With your plan in place, it is time to act. Action, in this case, may include reduced or removed user privileges on high-value assets, confiscation of company assets in the user’s possession, and/or interview with HR and cyber security teams.

>See also: How to prevent the most dangerous cyber threat: insider attacks

Be ready to cite policies and ensure that all parties involved are sending the same message.

Gather more data

Once you have acted to contain the threat, it’s imperative to understand when the activity may have started, if there are more than one party involved within the scope of the insider threat, any tools, techniques and procedures put to use, and what the intended target was (if it was intentional).

This can take some time, but it is worth ensuring that you have reached the root of the problem and that once you take action, the threat will be completely negated.

Handover to HR

At this point, there should be sufficient evidence to explain the actions of an identified insider threat. The cyber security team might be tempted to deliver justice up front, but it’s not their place and best left to HR to deliver termination notices.

These events can stir up emotions, but it is crucial to lay the groundwork, follow policy, and then hand over to the appropriate personnel at the right time.


Sourced by Dr Jamie Graves, CEO, ZoneFox

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...