Created by the Security Executive Council
Now perhaps more than ever, insiders both malicious and otherwise can wreak a significant amount of damage to organizations almost instantaneously. It is no wonder that insider threat is frequently cited as one of the top risks to organizations today.
This Security Barometer examined actions being taken to mitigate insider threat. Below is a summary of the results.
Over half of organizations polled do not have a formal insider threat program.
While it is commonly thought of as one of the top risks, most organizations do not appear to have a formal insider threat mitigation program. Only 46% of respondents had a formal program in place.
Insider threat is not an IT-only hazard
About 44% of respondents had some responsibility for information security. The level of responsibility for information security had no significant impact on responses.
Other Actions Being Taken
We asked respondents to provide descriptions of other actions they are taking to address insider threat. While monitoring and limiting access was clearly the most important action to combat insider threats, it appears that awareness campaigns and training were the most frequently cited as additional actions being taken. This was followed by pre-employment screening / background investigations. Some other interesting actions included partnerships with law enforcement, email classification systems, and having a formal insider threat manager reporting to the executive committee.
What if cost or gaining buy-in was not a factor?
We asked the respondents, "If you could do anything, regardless of cost or buy-in, to mitigate insider threat what would that be?" Here is a selected sampling of some of the answers that were provided:
- Have formal insider threat program and/or dedicated team addressing the threat
- Internal investigations task-force separate entity from the company
- Get executives/board to understand the risk
- To authorize security to actively investigate people/processes necessary
- To take background screening of staff and contractors seriously
- More robust separation of duties & least-privilege access
- Train executives on internal threats
- Conduct post-employment background checks
- ...of employees in key/critical positions
- polygraph "for cause"
- credit history checks
- Introduce profile checks on staff to note change in behavior or status
- Implement an enterprise-wide education /awareness program
- Monitor all IT traffic
- comprehensive system activity logging
- data loss protection technology
- more pro-active automated monitoring of systems
- better detection systems
- Software tools to detect fraudulent transactions in real-time
- Enforce file tracking and classification
- Business conduct hotline for anomalies and individuals of concern