One size fits none

In our last post, we explored what constitutes an insider threat and the impact these threats can have. We underscored that managing the challenges insider threats pose is not solely an IT problem, as they span multiple businesses functions. But IT is a critical first layer of defense, so in this post we’ll look at insider threats from that perspective. In subsequent posts, we’ll widen the lens to consider other avenues and dimensions from which insider threats can infiltrate.

First of all, you have to understand that no single strategy or technology will apply to every organization—nor to every potential for an insider threat to grow and emerge. For both of these reasons, multiple strategies and technologies will always be necessary to effectively combat threats from inside the organization.

Put another way, since we’re addressing the IT realm specifically, technology solutions alone are not enough. However, combined with technically focused strategies, technology solutions can play an important role. But where should you start, and which strategies should you consider? In our experience, while various strategies are often considered, most organizations begin with one or more of the following:

1. Activity monitoring: Organizations that understand what common day-to-day activity in their IT environment looks like (e.g., daily computer use patterns, software application use and the time of the day when activities are performed) are better equipped to identify unusual or suspicious behaviour.
2. Access control: Restricting employee’s permissions, such that each employee is provided with access only to the IT systems (laptops, computers, servers, etc.) and software applications they need to complete their duties can help prevent insiders from accessing sensitive information they do not need.
3. Regular security training: Organizations that regularly educate and train employees on leading security practices and the risks of insider threats can help prevent both malicious and unwitting insider activity and create a culture of security awareness.
4. Incident response planning: A well-documented and well-rehearsed incident response plan can help you quickly and effectively respond when an insider threat has materialized.
5. Focusing on company culture: Company culture plays a crucial role in preventing insider threats. Strong values, clear communication and effective leadership can foster a culture of trust and integrity, deterring employees from engaging in intentional, malicious activities against the organization—and helping them stay alert to the ways in which they might inadvertently enable threats themselves.

Assuming all or most of that is well in place, organizations should also work to proactively identify and assess insider threat strategies that align to their organizational objectives for managing insider threat impacts. Once you’ve identified what you want to accomplish, you can then begin exploring the technology solutions that align to those objectives. As we said earlier, no single technology solution is necessarily “right” for every organization, nor will it necessarily address the various objectives an organization might set for its insider threat program. Here, then, are a few technical solutions that are most commonly implemented, ideally in tandem:

Data loss prevention (DLP): DLP software solutions can help organizations detect and prevent data exfiltration. They work by monitoring network traffic and identifying any sensitive data being sent outside of the organization.

Identity and access management (IAM): IAM software helps manage employees’ access to IT systems and data. It allows you to control who has access to what, when they have it, and what they can do with it.

User behavior analytics (UBA): UBA solutions allow for the detection of unusual or suspicious user behavior by analyzing system logs and other data sources.

Security information and event management (SIEM): SIEM software solutions collect and analyze security-related data from multiple sources, including network devices, servers and software applications. A SIEM enables the creation of monitored alerts that can be customized to what the business considers malicious insider activity (e.g., accessing a confidential database outside of business hours, mass deletion or copying of files, etc.).

Again, if you take one thing away from this discussion, it should be this: effective insider threat detection and prevention requires a combination of strategies and technologies. With the right mix, your organization will be that much better prepared to protect its sensitive information and operations from malicious and unwitting actors alike.

Don’t hesitate to drop either one of us a line if you have questions or would like more information.

Meanwhile, looking ahead, we’ll be exploring the impact of remote work on insider threat risk, potential risks posed by external vendors and contractors, and insider threat prevention in the age of “bring your own device.” So, stay tuned!