Four Priorities for Aligning Your Insider Threat Program

by | May 6, 2020 | Blog

Organizations based in the United States continue to deal with considerable intellectual property theft and largely do not address the issue until there is a problem. The ability to effectively monitor for negligent or malicious insider threat activity is largely dependent on four main factors:

Aligning the Stakeholders

Generally, three main stakeholders must come together: legal, human resources, and some combination of security and information technology understanding the technical components depending on the organization. Technical stakeholders may include many subcomponents such as network infrastructure or application development.

Implement for Quick Wins

Insider threat alerts generally arise from two areas:

  • Technical monitoring
  • Reporting suspicious behavior

Aggregating the right internal telemetry to conduct appropriate technical monitoring is a tremendous challenge as companies grow in size and scale. According to Ramsey, “organizations always have to align on policy in terms of comfort levels of monitoring for extended periods versus monitoring around immediate administrative terminations”. It’s important to set limited scope monitoring efforts that can be effective. Initial steps can include implementing alerts against suspicious emails and data movement to unauthorized third-party file sharing sites. If such an alert is triggered,the appropriate stakeholders come together and authorize additional, more invasive monitoring measures.

Joining Internal Resources with External Resources

After implementing technical and HR/legal human elements that allow a company to respond quickly to insider threats, it then becomes critical to join internal data analysis and investigations into activity happening outside a company’s network and physical perimeter. In most IP theft cases he sees, Ramsey indicates it is critical to marry up internal investigations (network monitoring, employee interviews, etc) with outside information from security experts to discover the true intent, purpose and motivations behind insider threat actions. External diligence can include reviews of employee social media and forum activity, travel patterns and online footprint often providing illuminating detail on an individual’s connections, interests and activities. Leveraging this information together with internal investigative findings can give the suspicious activity important context, often allowing for a comprehensive narrative to form and enabling decisive action.