Understanding Insider Threats and the Importance of Management

This is a companion blog to the “The SafeHouse” podcast dated September 5, 2024 with host Jeff Edwards, Co-Chair of the SafeHouse Initiative and his guest Kyle Schlosser,  Insider Threat Management, Data Loss Prevention and eDiscovery Subject Matter Expert.

“If you are interested in starting an insider threat program. The first thing that you should is the next time you log into your work computer think about the damage that you could do whether it’s intentional or unintentionally with the access your company entrusted you with.” – Kyle Schlosser

In today’s digital landscape, organizations face numerous external cyber threats, but the internal threats posed by employees and contractors can be just as significant. Insider threats can manifest in both intentional and unintentional ways, making it crucial to establish effective management programs to mitigate risks.

What Are Insider Threats?

Insider threats refer to security risks originating from within the organization. Employees, contractors, or anyone with access to sensitive information can pose a threat, whether through malicious intent or simple negligence. Understanding the nature of these threats is the first step in developing a robust insider threat management program.

Kyle Schlosser describes your objective as: “I think at any firm, especially in a very competitive market, there’s always going to be a risk for insider threats where trusting employees to use their access responsibly.  But that’s not always how it works out. (…) So the main objective for an insider threat program is to watch how your employees and your contractors are using their access.”.

Building an Insider Threat Management Program

To start an insider threat program, consider the following steps:

1. Assess Access: Evaluate what information and systems employees can access and consider the potential damage they could inflict, intentionally or not.
2. Monitor Behavior: Implement tools to monitor employee activities. These tools can help identify abnormal behaviors that may indicate a potential insider threat.
3. Educate Employees: Regularly educate staff on security protocols and the importance of safeguarding sensitive data. Awareness can significantly reduce unintentional insider threats.
4. Collaborate with HR: Maintain close communication with the HR department to identify potential risks associated with employee dissatisfaction or high turnover.

The Role of Technology

Implementing specialized tools is vital for detecting insider threats. While traditional security operations focus on external threats, insider threat management tools can provide deeper insights into user behavior, helping to differentiate between malicious and benign actions. For instance:

• Endpoint Monitoring: Tools like Proofpoint’s Insider Threat Management can log user activities on endpoints, allowing for real-time detection of risky behaviors.
• Behavior Analysis: By analyzing user actions, organizations can identify patterns that may indicate a potential insider threat.

But what do you do, if you don’t have technology available?  As Kyle points out “If you don’t have the tools at your disposal to help you identify insider threats in real time, (…) you need to understand where your high risk departments are, if there are people with incentive to take data to a competing firm.” 

Case Studies and Real-World Examples

Real-life incidents highlight the importance of having an insider threat management program in place:

Case Study: Security Scorecard

A recent incident involved Security Scorecard, where a former employee took sensitive data to a competitor. This situation could have been mitigated with a proactive insider threat program, which would have allowed the company to monitor abnormal behaviors leading up to the incident.

At Security Scorecard, Kyle describes, “they found that this competitor was hosting mock interviews with some of the other security scorecard employees, trying to get them to reveal trade secrets and other (…) sensitive information on how security scorecard runs.”.

Common Red Flags

Identifying early warning signs can help prevent insider threats. Some common indicators include:

• Frequent off-hours communication with competitors.
• Unusual access patterns to sensitive data.
• Increased search activity related to job openings at competing firms.

Conclusion

Insider threats are a complex challenge that requires a comprehensive approach involving technology, awareness, and collaboration across departments. By understanding the nature of these threats and implementing effective management strategies, organizations can better protect their sensitive data and mitigate risks.

Kyle’s final recommendation is to think about putting yourself in the shoes of of your peers or your employees and thinking about what kind of damage they could do with the access that they’ve been entrusted with (…). And then (…) start thinking about some high risk areas, and (…) go start auditing, you know, activity in those areas regularly, maybe looking at any kind of logs that your systems or tools are producing, there’s a chance that there is a capability there for you to to review activity and identify abnormal behavior.”.

For organizations looking to enhance their security posture, establishing an insider threat management program is not just a recommendation; it’s a necessity in today’s rapidly evolving cyber landscape.