Over the years I've helped many organizations build and improve insider threat programs. Some companies employ the right mix of technology, process and awareness, while others probably still have a lot of work to do. One question that often comes up when I first talk with an organization is "Where do we start?"

My answer is, very simply, "At the beginning."

The answer may be simple but it certainly isn't easy. There's a reason that insider threats are such a huge source of concern today: Insiders are responsible for a significant proportion of attacks on organizational data. For example, IBM's 2015 Cyber Security Intelligence Index pins 55 percent of all attacks on insiders, a combination of malicious efforts and inadvertent actors.

The data that's at risk isn't shrinking, either. I've seen firsthand just how much information organizations have stored on their systems. With data stored in so many places and accessed by so many people, it's understandable that when they start trying to unravel the Gordian knot of protecting all this information, they freeze.

Building an insider threat program from nothing takes some time to do it right. Here are a few basic tips to think about when you're setting out on that journey.

1: Know your data.

You can't protect something you don't know anything about. It's vitally important to catalog the information your systems contain. Answering questions like "What server is that data on?" "Where is that information physically located?" and "Who has access to that application?" is a much more important step than many organizations realize.

A formal data map and access audit are the foundations for a successful insider threat program.

2: Set priorities.

I worked with an organization that was in the process of mapping its data for many reasons, one of which was creating an insider threat program. One of the first days on site with them, I asked "Have you identified your crown jewels?"

They proudly answered "Yes, all 80-plus of them."

I give them credit for trying to prioritize their data, but more than 80 crown jewels? Really? That's simply too many priorities to work with. Instead, we recommended that they try to create priorities within those applications by considering which applications or data would cripple the organization if they were compromised and place those specific items at the top. These priorities are what we consider to be their critical value data. 

While massive databases of customer data are very important, sometimes very specific documents like strategic plans or company financials would prove more damaging if they fell into the wrong hands. These are also easier to identify and protect than huge sets of data, which can come later on in the process.

3: It's not just about technology.

 

Insider threats are not merely a technology problem. They're also a risk management problem, as we wrote in our whitepaper, "A Holistic Approach to Countering Insider Threats." An organization needs to set this expectation early and bring it up often during the building and implementation process. You may need to elevate insider threats out of the IT department; to give it the proper attention, it needs to make its way to the C-suite and the boardroom. 

Many "programs" are technical implementations, tools that sound good when they are pitched or demonstrated but that fall short when they are installed and start getting used in a real environment. They either don't do everything that they claim to do or, more often, they fall short because the right training, procedures, awareness and other supporting factors aren't put into place.

Building an insider threat program takes all of these things to succeed. Of course technology is important. But tools are only one piece of the puzzle. By setting expectations with the organization's leadership (not just IT leadership, but all leadership), targeting the most critical value data, and focusing equal attention on the factors surrounding the technology, you can set yourself on the path to creating an effective, functional, and complete insider threat program.

Keith Lowry is Nuix's senior vice president for business threat intelligence and analysis. He served as chief of staff to the deputy undersecretary of Defense for human intelligence, counterintelligence and security at the Pentagon, and as an information security consultant in the private sector.

Share:
In Other News
Load More