Defending Against Insider Threats (Part 1)

In their “Common Sense Guide to Mitigating Insider Threats 4th Edition,” CERT provides an exhaustive set of recommendations for defending against insider threats. This raises the question, “Can a company actually defend against insider threats?” Insider threats can be stopped, but it will require a layered approach throughout the company.

Like many security issues companies need a strategy that utilizes a combination of policies, procedures and technical controls. This will touch upon multiple departments or aspects of the business including

  • Human Resources (HR)
  • Legal
  • Physical Security
  • Data Owners
  • Information Technology (IT), including Information Assurance (IA)
  • Software Engineering

Management must pay close attention to many aspects of the organization, including its business policies and procedures, organizational culture, and technical environment. Additionally, the leadership must look beyond IT to the organization’s overall business processes and the interplay between those processes and any deployed technologies.

CERT provides 19 recommendations that involve all of the above departments. It might be helpful to divide these recommendations into processes that focus on people and processes that focus on information technology. In this post, I’ll provide a quick summary of the people oriented processes and in the next, I’ll review process that focus on IT issues.

It is essential to pay attention to all the people that have some form of access to vital information including staff, contractors, vendors and more. Anyone that can access some aspect of the company’s critical assets could potentially cause a threat. Here is a list of best practices from CERT.

1. Consider threats from insiders and business partners in enterprise-wide risk assessments.
Whether hiring new staff, entering into a business partnership, or acquiring staff during a merger, it is important to have a background investigation prior to any access to data. Additionally, it is important to require a non-disclosure agreements (NDAs) upon beginning and terminating employment or contacts.  Allow partners access only to task related information, and disable printing/copying for any sensitive documents.

2. Incorporate insider threat awareness into periodic security training for all employees.
Require initial security training and ongoing security training updates for all employees and business partners. The training should include the a thorough review of insider threat issues.

3. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
Proper vetting and training can help all staff be aware of behaviors that might indicate an insider threat.

4. Anticipate and manage negative issues in the work environment.
If anyone on staff is having ongoing or impending personnel issues that could lead to a threat, it is important to take notice and possible initiate auditing processes.

5. Develop a comprehensive employee termination procedure.
It is essential to maintain a standard termination process checklist that includes reviewing non-disclosure agreements, tracking all accounts related to the specific employee, notification of employee’s departure, and archive and block accounts (including collecting company equipment and wiping company data from an employed owned wireless device).

6. Be especially vigilant regarding social media.
Establish and enforce a social media policy about what is and is not permissible to share in social media. Training staff to be aware of social engineering threats that may come through social media, email or phone calls.