Insider Threat Mitigation: Identify, detect, protect, respond, recover

One of the major cybersecurity issues that organizations face is the threat that comes from within. This “Insider Threat” is as common as a threat from an outside intruder, but can be even more impactful and costly. Insider threats are difficult to detect, especially considering that compromising activities can be both intentional and accidental.

Perhaps a file system containing important company information was removed. This could be an accidental act by an individual who did not know better or a malicious act purposely executed by a disgruntled employee wanting to hurt the organization through the loss of corporate data.

In either case, the organization is responsible to put the appropriate controls in place to prevent such a situation, regardless of the insider’s intent. Below are some such controls to prevent a similar scenario:

Proactive controls

Information security has three overarching goals: confidentiality, integrity and availability (CIA).


Within the scope of these high-level goals, IT security specialists have defined best practices to help organizations ensure that their information stays protected. Incorporating corporate controls to keep data confidential, maintain the integrity of the data and ensure data availability will help organizations prevent—or at the very least be able to recover from—intentional and accidental threats.

Data sensitivity & classification: Determine the importance and sensitivity levels of data in the organization.

Principle of least privilege: Ensure people have only the rights, permissions, and privileges absolutely necessary to do their jobs; no more, no less.

Separation of duties: Ensure that no one person can perform a critical transaction or operation alone.

In the scenario above, it is important to configure data access in such a way that data critical to the business cannot be accessed by someone who does not have the need to access the data and would not be able to perform such a destructive act without confirmation from authority.

Threat mitigation

The scenario above is fairly simple and straightforward, but is quite common (especially for SMBs, who typically do not establish these strong policies and security guidelines). In today’s threat-laden environment, organizations of all sizes must take the appropriate measures to mitigate and respond to the unavoidable security threat, including the insider threat.

Below is a number of industry best practices that will assist you in mitigating and minimizing the impact of an internal threat:

Security policy: A company security policy specifies security guidelines for internal and/or outsourced IT support services, as well as for vendors and suppliers that interface with the organization. It also establishes company security expectations of W2, temporary and subcontracted employees.

A well-defined security policy would cover such areas as: acceptable use, password construction & protection, email usage, bring your own device (BYOD) guidelines, remote access, and numerous others. Have this document prepared by a security specialist and approved by the executive team. Require each employee, consultant, and other appropriate parties to read and sign it, acknowledging that they have read and understood their responsibilities.

Incident response plan: The only thing worse than a cyberattack is not knowing what to do when an attack occurs. An incident response plan provides clear and concise guidelines to be followed once an attack is detected. The purpose of this response plan is to limit potential damage, protect sensitive data, and limit exposure. It also includes procedures to notify the appropriate officials and to begin the recovery process.

Insider threat program: It is invaluably important to have an insider threat program because it can be difficult to identify threatening insiders and to detect their harmful activity in time to prevent it. Without proper training, employees may not recognize suspicious behavior, or may not know how to report such activity. A proactive insider threat program will provide the information employees need to identify a likely threat and the means of bringing it to the attention of the company leadership in a formal and professional way.

End-user awareness training: Unfortunately, the majority of security breaches are the result of a lack of training provided to company employees and business partners. Even a minimal investment in end-user awareness significantly improves an organization’s security posture by equipping the participants with the security knowledge necessary to protect the organization’s data.

By addressing these four key areas, an organization can significantly increase security, which will allow them more time to focus on the business. Bring in a strong cybersecurity professional to help you to identify risks and vulnerabilities, protect against intrusion and data loss, detect compromises, respond to an attack before significant damage occurs and recover data that may have been lost or corrupted.

Mike Battistella is the President of Solutions3 LLC, an IT Management Company focusing on cyber security management, network & systems management, IT service management, critical notification management and technical & soft skill training.