Recent research from BM’s 2016 Cyber Security Index, as just one example, stated that 60% of the year’s breaches were caused by an insider threat. It’s a problem that is here to stay – and furthermore is likely to grow.
There are different levels to insider threats. This can range from the malicious outsider that has found a legitimate door left open to your network, through to the vindictive employee sharing confidential information.
There’s also the lost laptop or the malicious link clicked by an unaware employee – which can catch out even the most vigilant.
There are dozens of pieces of writing regarding the insider security threat, but very little has been written about what happens once you uncover an issue within your network.
When dealing with an issue that can range from a lost memory stick through to corporate espionage, it’s vital to have a clear, structured plan to deal with a potentially damaging situation as efficiently as possible.
There are eight steps every company should take once this happens to mitigate the damage. Having the right technology in place is vital, but get the next steps wrong and that investment could well be for nothing.
Partner up with HR
First off, in an ideal world you would have obtained HR buy-in on processes around dealing with the insider threat before anything bad happens.
Of course, we don’t live in an ideal world, so the first step is notifying HR and working together to form a process.
Back up your actions with documentation
Ensure that there are ample security policies and/or employee agreements that back up any actions that may take place due to insider threat activity.
Acceptable use policies, information security policies, and privacy policies – and any exceptions – must be tracked and employees should sign a form stating that they understand and agree to adhere to the policies. This supplies a strong legal footing for any following actions.
Classification is key
Once an incident stemming from an insider threat is declared, triage must take place very quickly.
Understand – as much as possible – whether the suspicious activity is intentional or not.
A user attempting to pilfer out data intentionally should be handled differently than a user who downloads malware accidentally – and it doesn’t pay to get this decision wrong.
Prioritise incidents accordingly
You need rules that outline timelines for dealing with an insider threat. In order to develop these timelines, you must first prioritise your incidents.
Depending on the value of the compromised information assets, the privilege level of the user, and the action being taken this can then be put together.
Decide on a mitigation plan
Next, you should devise a process based on priority level, established processes and HR agreements.
Disciplinary measures, such as seizure of all of the user’s company assets, suspension of employment, or dismissal may be discussed.
Time it right
With your plan in place, it is time to act. Action, in this case, may include reduced or removed user privileges on high-value assets, confiscation of company assets in the user’s possession, and/or interview with HR and cyber security teams.
Be ready to cite policies and ensure that all parties involved are sending the same message.
Gather more data
Once you have acted to contain the threat, it’s imperative to understand when the activity may have started, if there are more than one party involved within the scope of the insider threat, any tools, techniques and procedures put to use, and what the intended target was (if it was intentional).
This can take some time, but it is worth ensuring that you have reached the root of the problem and that once you take action, the threat will be completely negated.
Handover to HR
At this point, there should be sufficient evidence to explain the actions of an identified insider threat. The cyber security team might be tempted to deliver justice up front, but it’s not their place and best left to HR to deliver termination notices.
These events can stir up emotions, but it is crucial to lay the groundwork, follow policy, and then hand over to the appropriate personnel at the right time.
Sourced by Dr Jamie Graves, CEO, ZoneFox