We've talked about the basics of establishing an Insider Threat Program in a previous article. And while technology will always be a key component to a successful insider risk program, the best place to start your program is with people and process. This is especially true if you have a small budget for security, since changes that leverage your people and processes are often the most cost-effective, and can have the greatest impact. Let's look at what can be done with these two elements at any organization, regardless of size or budget.
Process Changes to Stop Insider Threat
There are a number of process changes you can make to protect your organization from malicious insiders. Some of the best changes include:
- Institute mandatory vacation policies for all employees, particularly those who have access to sensitive data
- Require dual authorizations for all sensitive transactions
- Require multi-factor authentication for all employees
- Use double-entry accounting to surface attempts at fraud by an insider
Empower Your People to Stop Insider Threat
At a minimum, every company should provide mandatory training for all employees in basic cyber hygiene. This includes how to avoid clicking on malicious links, how to recognize phishing emails, and how to identify malicious websites and conduct online research safely. Amazon now offers free cyber security training to everyone, and it's the same training they use internally!
One of the best ways to stop insider threat is by identifying potential behavior that leads to insider threat -- before a risk becomes a threat. Smaller organizations can benefit from the fact that most employees know each other, and can help identify that behavior. Insider Threat training can help employees look for behavioral indicators of insider threats like:
- Spending an unusual amount of time on a computer or a network, especially compared to their typical behavior
- Talking about a desire to cause harm to the company, its employees, or its clients
- Neglecting their usual responsibilities and focusing on a different task -- while spending an inordinate amount of time on that task
- Being confrontational or using angry language with colleagues
- Being more isolated from colleagues than usual
- Changes in demeanor, such as becoming more withdrawn or reserved
- Uncharacteristic or sudden purchases of equipment
- Uncharacteristic or sudden increases in spending
- Being confrontational or using angry language with colleagues
- Being secretive about their work
- Uncharacteristic or sudden changes to their normal routine -- such as taking extended holidays or working from home
- Being confrontational or using angry language with colleagues
Along with training, you can implement additional incentives and controls around people. Some of the best ways are to encourage employees to report suspicious activity and to limit physical access to sensitive areas. Encourage employees to report suspicious activity by offering a reward. Reward programs are effective in encouraging employees to report other employees who are maliciously accessing data or breaking company rules. Limit physical access to sensitive areas by implementing a visitor log and requiring employees to escort visitors. This can help you to identify malicious insiders and trusted users gone bad.
Monitoring and Investigating Insider Threat
Once you've implemented changes to people and process, your next steps will be to begin monitoring for and possibly investigating occurrences of insider threats. Organizations have traditionally turned to SIEM technology to perform these functions -- usually a large, time-consuming and expensive undertaking. Fletch's Insider Risk app was designed to allow any organization to take on these challenges. In our next article we'll go more in-depth around the technologies that can be used for Insider Risk Monitoring and Investigation, and how the Insider Risk app can help you achieve faster results.
