10 Steps to Kicking Off Your Insider Threat Program

By Mark Wojtasiak, vice president, Code42

Malware, ransomware and other external cyber threats are usually the security threats that grab the most headlines. You might be surprised to know that insider threats are one of the largest unsolved issues in cybersecurity, according to McKinsey. A staggering half of all data breaches between 2012 and 2017 were derivative of some insider threat element. And in the last month alone, we’ve seen three high profile cases of employees stealing sensitive information from McAfee, Desjardins Bank, and SunPower Corp.

However, while businesses know they have to address this looming risk, they’re often stuck trying to figure out, “Where do we start?

Sure, it’s easy to just say, “build a comprehensive insider threat program,” but that’s daunting, time-consuming, expensive and complex. Building an insider threat program goes far and beyond “best practices.” It usually involves an entire team dedicated exclusively to insider threat detection and response, which sounds nice, but not realistic for those security teams working with a tight budget and limited team resources.

The complexity doesn’t stop there. The root of this approach is – dare I say it – legacy data loss prevention. Its ‘prevention-first’ approach and rigid policies frustrate users with barriers to productivity which, most of the time, lead to workarounds and loopholes.

This is doing your organization and employees more harm than good. We all need something simpler because insider threats show no signs of diminishing.

Here are 10 critical steps that make it faster, easier and more cost-effective to build your insider threat program:

  1. Get leadership buy-in: This might seem like a no-brainer, but it’s critical to the development of your security and IT team (and your future efforts) as value-adding business partners.
  2. Engage your stakeholders: The buy-in campaign doesn’t stop with the executive team. Think about the individuals that would lose the most if an insider threat event were to take place, and bring them into the fold from the start.
  3. Know what data is most valuable: You should have a pretty sound idea of what data is most valuable after speaking with leadership and line-of-business stakeholders. You might be thinking, “all data has value,” which is true, but these conversations will be essential to learning about the types of unstructured data to keep a watchful eye on, and which types of high-value unstructured data will require more creative means of tracking.
  4. Put yourself in the shoes of an insider: Think critically about the value in taking or moving information. What would they do with it? What tactics or workarounds might they employ to help them get the job done?

Seem straightforward? Up until this point, you should be determining the types of data you’re protecting and understanding the key indicators that might point to insider incidents. Keep reading – here’s where things get simpler.

5. Determine common, everyday insider triggers: Don’t get wrapped up in building a robust program with different types of classification schemes and policies that try to monitor every possible scenario. Instead, focus on your “foundational triggers,” or most common use cases that make up the vast majority of insider threat incidents, such as departing employees à la McAfee, high-risk employees, accidental leakage and organizational changes.

6. Create consistent workflows: Investigating suspected data exfiltration can be complex and time-consuming, so it’s important to define the key workflows for each foundational trigger. For example, when an employee departure is triggered, make sure you clearly define the workflow/plan of attack for this trigger and consistently execute on the steps you’ve established.

7. Establish a game plan: Once a workflow is triggered and potential data exfiltration identified, establish which key stakeholder is responsible for directly engaging with the employee/actor. Using the employee departure example again, this would likely trigger engagement from HR and the line-of-business manager. This clear line of communication not only separates security and IT teams from the “data police” reputation but also allows them to focus on data monitoring, detection and remediation.

8. Spread the knowledge: Small- and medium-sized businesses are typically working with a strained budget and limited resources, so a fully dedicated insider threat team – while ideal – isn’t always realistic. While your security and IT team should be able to handle the monitoring, detection and remediation responsibilities, they shouldn’t have to shoulder the full burden. Educating and training your stakeholders on the full scope of the insider threat program will prove critical so that they have a clearer understanding of what’s being monitored, specific case triggers, key workflows, rules of engagement and the tools needed to accomplish all of this. This training should also clearly define roles and responsibilities in the event of a triggered workflow.

9. Open the lines of communication: In order to maintain a healthy working relationship between your employees and your security/IT teams, it’s critical to communicate that your organization tracks file activity. Reiterate that the program is applicable to everyone – without privileges or exceptions – and is designed to maintain employee productivity while protecting the organization’s most valuable assets ­– its data.

10. Start now before it’s too late: The most successful insider threat program starts long before a trigger. A trigger event shouldn’t be the reason why you’re implementing your monitoring, detection and remediation technologies. A strong insider threat program continuously runs and provides context and complete visibility into all data activity at all times.

The industry needs to stop seeing insider threats as “employees stealing stuff” when in reality, it’s about the actions (good, bad, indifferent) that people take with any kind of data that puts the customers, employees, partner or company’s well-being at risk. Initiating an insider threat program with a simpler, workflow-based starting point around three to four high-risk triggers can effectively address 80 percent or more of your risks to insider threat.

About the Author

10 Steps to Kicking Off Your Insider Threat ProgramAs vice president of portfolio marketing at Code42, Mark leads the market research, competitive intelligence, and product marketing teams. Mark joined Code42 in 2016 bringing more than 20 years of B2B data storage, cloud and data security experience with him, including several roles in marketing and product management at Seagate.


August 3, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...