Using a Risk Management Approach to Build Your Insider Threat Program

By Findlay Whitelaw

 

After speaking on a recent webinar, “Navigating Cybersecurity Threats, Challenges and Innovation in 2023” I was contacted by several customers interested in finding out more about how to best navigate their approach to setting up an insider threat program. This article aims to signpost a distilled approach, which is by no means exhaustive. Nonetheless, it looks to provide suggested points for consideration using a risk management approach, acknowledging that there will be varying organizational needs, goals, budgets, and resources required to set up an insider threat program, driven in part by the diverse industries, organizational structures, and evolving threat landscapes. 

It is important to stress that this is only one example of a risk framework that can be utilized and developed further depending on your organizational requirements. However, this simple approach will facilitate understanding and articulating the insider risk from which a business case and insider threat program plan can be developed, designed, architected, and deployed.

Define your insider threat program

When considering setting up an insider threat program, everyone involved must be on the same page, with openness and transparency in their organizational communications and purpose. As a first step, I suggest defining, documenting, and communicating the following:

  • The meaning of insider, insider risk, and insider threats 
    • An insider can relate to an individual, person, employee, former employee, contractor, or a third-party supplier
    • An individual, person, employee, former employee, contractor, or third-party supplier who, by virtue of their role, function, and/or seniority, who have or previously had legitimate access to systems, sensitive data, and financial assets which could cause harm to the organization, is defined as an insider threat
    • Insider risk focuses on the data, assets, impacts and exposures to the organizational  welfare and resiliency, including their customers and employees
  • The types of insider threats and incidents that can occur, including malicious, accidental, and third-party threats
  • How insider risks and threats can materialize, such as data loss, theft, cyber theft, sabotage, espionage, and violence
  • How insider risks relate to your specific industry or organizational setting; what is important to one organization may not be relevant to another, varying and diverse organizational set ups, size, and structures are all contributing factors
  • The overall impact that insider incidents or attacks can have, including:
    • Reputational damage, resulting in loss of confidence and trust from customers and shareholders
    • Financial loss, resulting in decreases in market value, loss of revenue, intrinsic value (loss of IP), and remediation costs
    • Operational impacts and implications, including the loss of production and operational disruption
    • Regulatory and legal implications, depending on the incident and severity there can be fines due to regulatory and legal obligations and sanctions
  • The purpose of your insider threat program. A statement of intent or purpose statement will help frame the aims and objectives, an example statement may say “…to reduce the likelihood and impact of insider threats and incidents to protect organizational, customer, and employee data and interests”. The purpose should also reinforce the organization’s commitment to preserving employee trust and a positive organizational security culture.

Identify critical assets

Secondly, identify your critical assets. This can include finances, information/data, systems, physical assets, and resources. Some questions that need to be asked here include: 

  • Do you have a critical asset register identifying people, processes, technology, and services?
  • Have you identified who manages the internal  critical asset registers (policy, process, testing)? 
  • Do you know who is responsible and accountable for managing any outsourced assets and are you clear on what assurances and controls are in place to protect them?
  • Do you know when the asset register was last updated, and was the effectiveness tested?

It is not enough to ask these questions; you should also identify mitigating controls and policies already in place, including cyber controls, access controls, background checks, and screening policies as some examples. 

Assess risk

After you have identified your critical assets, then assess the impact to your organization should an insider threat occur, and conduct and document a broader risk assessment, evaluating the effectiveness of available countermeasures. 

Insights and learnings can be taken from previous risk assessments, audits, operational control test findings, critical asset reviews, and the effectiveness of cross-functional interlocks. Furthermore, and very importantly, the assessment of what resources are potentially required to strengthen or develop your insider threat program or strategy is essential. Below are some suggestions to support your assessment:

  • Conduct an insider threat landscape review
  • Review the current applicable organizational policies, for example the data privacy policy, and update if required
  • Review relevant ethical, legal, regulatory, and compliance standards
  • Estimate resources for the program and insider response team
  • Assess your program maturity as it progresses

Manage your goals and program

Last, but not least, you should look to manage critical aspects of your insider threat program, suggestions include:

  • Manage, prioritize, monitor, and track identified risks
  • Create a stakeholder map or RACI to ensure that all stakeholders and interested parties are involved and understand the insider threat program’s purpose
  • Continually review your current technology stack and identify new opportunities to build new use cases in line with the threat landscape review
  • Establish and identify the critical success factors of your insider threat program
  • Review, pilot and evaluate opportunities for emerging technologies and processes to mitigate the risks

Furthermore, while we can all acknowledge and recognize that our people are our first and last line of defense regarding security, the power that effective communication, training, and awareness have for all staff shouldn’t be underestimated or under-invested. Ensuring that insider risks and your insider threat program’s purpose are well understood across the organization is also critical to managing and creating an empowered, positive security culture while maintaining regulation, policy, and standards across your insider threat program (for example, data privacy and GDPR). 

Regular audits, benchmarking, re-assessment of your insider threat maturity levels, and a regular review of your insider threat program priorities are also critical. Equally, managing and measuring the success criteria of your program not only helps track impact and risk reduction, but can also justify continued support, resources, and funding in an already constrained, competitive cost control and budgeting environment. 

While setting up an insider threat program to protect organizational interests is essential, it should not be detrimental to employee trust or create a negative company culture. In our upcoming blog post, “How to maintain employee trust when setting up your insider threat program,” I will explore and discuss this further.