How to Mitigate Insider Threats

Organizations have long understood that insider threats can be among the most serious security challenges they face. A new report from consulting firm Deloitte describes the importance of taking steps to mitigate these risks, and it also offers advice for companies on the best ways to do that.

Developing a program to mitigate internal threats has become more urgent with the growing complexity of workplaces and the fact that insider threats are becoming more difficult to detect, the report states. The threats can include fraud, espionage, IT sabotage and theft of intellectual property.

Mitigation programs can help organizations strengthen their position against internal threats by providing early detection of threats and a quick response. But the study points out that threats are not limited to information security, and, by looking at insider-threat mitigation broadly, C-level executives can help reduce the level of risk to their organization.

Developing a Mitigation Program

Deloitte recommends several actions companies can take when designing, creating and deploying a formal insider-threat mitigation program. Here are some of the highlights among these suggestions.

Organizations need to define potential insider threats. These can be employees, contractors or vendors that commit malicious or unintentional acts using their trusted and verified access to systems.

Deloitte says that few organizations have a specific working definition of such threat sources, partially because security budgets have historically focused on external threats. Defining potential insider threats is a critical first step to creating a program.

Enterprises also need to define their “risk appetite,” and identify the critical assets that need to be protected. What is the organization’s tolerance for the loss of or damage to those assets?

In addition, companies should identify key threats and vulnerabilities within the business and its processes. The development of the program can then be shaped to address these specific needs and types of threats, as well as taking into account the organization’s culture.

The insider threat mitigation program should have a champion, a broad group of stakeholders and support from executive leadership. Companies should consider forming a cross-functional working group that ensures the proper level of buy-in across departments and stakeholders. This group should help address common concerns and should support the creation of messaging to the entire organization.

The program should not rely solely on technical solutions. It should also include critical business processes, such as segregation of duties for various functions, nontechnical controls, organizational change management components and security training programs.

Organizations should establish routine and random reviews of privileged functions, which are commonly performed to identify insider threats across a range of areas. They should trust their employees, but balance that trust with verification to avoid providing unlimited access and single points of failure.

Finally, the report recommends that organizations “stay a step ahead.” Insiders’ methods, tactics and attempts to cover their tracks will constantly evolve, it warns, which means the insider-threat program should continually evolve as well.

Some kind of feedback mechanism that includes an analysis of ongoing and historical cases and investigations can help companies adapt their insider-threat programs to address new threats.