Top 5 Ways to Combat Insider Threat

by Dr. Eric Cole

I’ve been talking about insider threat for nearly 10 years and advocating the position that compromising an insider is a lot easier for an adversary than breaking into an organization from the outside. A study that I recently authored for SANS Institute (co-sponsored by Dtex Systems, Haystax Technology, and Rapid7) illustrates that attention to the problem of insider threat is still well below where it needs to be.

In particular, while 40% of survey respondents rate insider threat as the most damaging threat vector they face, nearly the same percentage (38%) say they don’t have an effective way to detect insider threat, and fewer than 20% don’t have a response plan in place to mitigate damage from an insider incident.

Yet, there are some relatively easy ways to protect the organization from both the malicious insider and the unintentional insider. Here are my top five:

  1. Control or eliminate email attachments and links – emails are the primary attack vectors in use today, and while the message itself isn’t dangerous, links and attachments are. Today’s security product vendors are offering real-time malware assessment of links and attachments that will quarantine a suspicious attachment or prevent connection to a dangerous link.
  2. Properly manage and control access to data and critical systems – role-based permission and the principle of least privilege are your friends. Work with your HR team and line of business managers to understand user roles and the types of application and data access they need to do their jobs. Then, assign only that access level, no more.
  3. Know where your data is – an important corollary to point 2 is knowing where mission-critical and sensitive data resides in the system so that you can lock it down with appropriate permissions. If you don’t know where it is, how can you protect it with the right level of access?
  4. Monitor employee behavior and look for anomalies – this can occur at many levels, including action monitoring software. It’s not intrusive to look for excessive data dumps or repeated attempts to look at files or directories that are not permitted – it’s good business. But it also makes sense to educate employees to be on the lookout for behavioral changes in their coworkers – what are the signs of financial or emotional distress that could lead to an attack on company systems…or worse.
  5. Raise security awareness – last but not least is the need for ongoing security awareness training that is an integral part of company culture – not an afterthought or a “checklist” item. A company that partners with employees to ensure security awareness will do better than one that forces compliance or just performs training to check a box.

Finally, getting back to the survey, I’ll leave you with this important point.

It is easy while evaluating attack vectors, researching competitors and gauging the threat from organized crime or foreign adversaries, to conclude that external attacks should be the primary focus of the defense. This conclusion would be wrong. The critical element is not the source of a threat, but it’s potential for damage. Evaluating threats from that perspective, it becomes obvious that although most attacks might come from outside the organization, the most serious damage is done with help from the inside.

About the Author

Dr. Eric Cole is CEO of Secure Anchor, former CTO of McAfee and Lockheed Martin, member of the Commission on Cyber Security for President Obama, the security advisor for Bill Gates and his family, and author of a new book, Online Danger: How to Protect Yourself and Your Loved Ones From the Evil Side of the Internet. For more information, please visit, and connect with Dr. Cole on Twitter, @drericcole.

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase