Four Priorities for Aligning Your Insider Threat Program
Organizations based in the United States continue to deal with considerable intellectual property theft and largely do not address the issue until there is a problem. The ability to effectively monitor for negligent or malicious insider threat activity is largely dependent on four main factors:
Aligning the Stakeholders
Generally, three main stakeholders must come together: legal, human resources, and some combination of security and information technology understanding the technical components depending on the organization. Technical stakeholders may include many subcomponents such as network infrastructure or application development.
Policies and Consent
Generally organizations need to be aligned on legal disclosure to employees and be comfortable implementing policies appropriate for the culture of the organization. According to Crowell and Moring legal expert Gabe Ramsey, from a U.S. law perspective, “there is a lot of opportunity to obtain consent and make disclosures to employees when they join the company, or along the way, to get broad authority to monitor employees”.
While some exceptions are made, including state laws that restrict monitoring in personal places such as restrooms, companies can place significant and broad monitoring measures in place at a physical office location or on company technical assets (endpoints). However, what is acceptable from a cultural perspective must also be considered. Once the policy and consent obstacles are overcome and in place, an organization can begin to implement the appropriate monitoring mechanisms in place to respond quickly in the event of an incident.
Implement for Quick Wins
Insider threat alerts generally arise from two areas:
- Technical monitoring
- Reporting suspicious behavior
Aggregating the right internal telemetry to conduct appropriate technical monitoring is a tremendous challenge as companies grow in size and scale. According to Ramsey, “organizations always have to align on policy in terms of comfort levels of monitoring for extended periods versus monitoring around immediate administrative terminations”. It’s important to set limited scope monitoring efforts that can be effective. Initial steps can include implementing alerts against suspicious emails and data movement to unauthorized third-party file sharing sites. If such an alert is triggered,the appropriate stakeholders come together and authorize additional, more invasive monitoring measures.
Joining Internal Resources with External Resources
After implementing technical and HR/legal human elements that allow a company to respond quickly to insider threats, it then becomes critical to join internal data analysis and investigations into activity happening outside a company’s network and physical perimeter. In most IP theft cases he sees, Ramsey indicates it is critical to marry up internal investigations (network monitoring, employee interviews, etc) with outside information from security experts to discover the true intent, purpose and motivations behind insider threat actions. External diligence can include reviews of employee social media and forum activity, travel patterns and online footprint often providing illuminating detail on an individual’s connections, interests and activities. Leveraging this information together with internal investigative findings can give the suspicious activity important context, often allowing for a comprehensive narrative to form and enabling decisive action.