Leadership Solutions

The Top Action to Combat Insider Threat

Now perhaps more than ever, insiders both malicious and otherwise can wreak a significant amount of damage to organizations almost instantaneously. It is no wonder that insider threat is frequently cited as one of the top risks to organizations today.

This Security Barometer examined actions being taken to mitigate insider threat. Below is a summary of the results.

Chart of top insider threat mitigation actions

Over half of organizations polled do not have a formal insider threat program.

While it is commonly thought of as one of the top risks, most organizations do not appear to have a formal insider threat mitigation program. Only 46% of respondents had a formal program in place.

Insider threat is not an IT-only hazard

About 44% of respondents had some responsibility for information security. The level of responsibility for information security had no significant impact on responses.

Other Actions Being Taken

We asked respondents to provide descriptions of other actions they are taking to address insider threat. While monitoring and limiting access was clearly the most important action to combat insider threats, it appears that awareness campaigns and training were the most frequently cited as additional actions being taken. This was followed by pre-employment screening / background investigations. Some other interesting actions included partnerships with law enforcement, email classification systems, and having a formal insider threat manager reporting to the executive committee.

What if cost or gaining buy-in was not a factor?

We asked the respondents, "If you could do anything, regardless of cost or buy-in, to mitigate insider threat what would that be?" Here is a selected sampling of some of the answers that were provided:
  • Have formal insider threat program and/or dedicated team addressing the threat
    - Internal investigations task-force separate entity from the company
  • Get executives/board to understand the risk
    - To authorize security to actively investigate people/processes necessary
    - To take background screening of staff and contractors seriously
    - More robust separation of duties & least-privilege access
    - Train executives on internal threats
  • Conduct post-employment background checks
    - ...of employees in key/critical positions
    - polygraph "for cause"
    - credit history checks
    - Introduce profile checks on staff to note change in behavior or status
  • Implement an enterprise-wide education /awareness program
  • Monitor all IT traffic
    - comprehensive system activity logging
    - data loss protection technology
    - more pro-active automated monitoring of systems
    - better detection systems
    - Software tools to detect fraudulent transactions in real-time
    - Enforce file tracking and classification
  • Business conduct hotline for anomalies and individuals of concern

Here is Some Helpful Information about Addressing the Insider Threat Risk:

Metrics for success - What is the Cost of a Bad Employee?

From the Metrics for Success series created by George Campbell, Security Executive Council Emeritus Faculty, and originally published in Security Technology Executive.
Click here to read article in PDF format.

Results from the Annual "Threats to Information Protection" Research

Kennesaw State University's Center for Information Security Education recently conducted extensive research into information protection. This partial summary of the results includes data collected on internal threats.
Click view the report from the Security Executive Council website

Solutions Snapshot: Insider Theft/Fraud

Four security professionals offer solutions for protecting yourself from employee theft and fraud during hard economic times. From the March 2009 issue of Security Technology Executive.
Click here to read article in PDF format.

The Insider Threat

Created by Marleah Blades, formerly Security Executive Council Staff, this article discusses how to best use a layered approach to help mitigate insider risks.
Click here to read article in PDF format.

The Threat of the Malicious Insider: What Is the CFO's Responsibility?

This article was written by Bob Hayes, SEC Managing Director; Kathleen Kotwica, SEC EVP and Chief Knowledge Strategist; and Richard Lefler, SEC Faculty Member Board of Advisors. It was originally published in an issue of Financial Executive magazine and can be very useful in helping people outside of security understand the organization's role in addressing insider risk.
Click here to read the article on the Security Executive Council website

Insider Threat Self-Assessment Tool...

The Security Executive Council provides strategic advisory services addressing insider threat. We have built successful insider threat programs while managing security risk mitigation for some of the world's most well regarded organizations. Now we leverage our extensive experience to help teams like yours create or enhance your own insider threat risk programs. Contact us to find out about our insider threat self-assessment tool and what we can accomplish for you