Mitigation of insider threat is a complex and intensive process. The following steps to reduce risks associated with insiders do not encompass all one can do, but do address 7 of the most important processes to maintain security.
1. Screen before you hire
Performing a background check can be helpful in weeding out potential candidates for insider theft during the hiring process. Thirty percent of employees who committed insider theft, according to a recent CERT study, had a previous arrest history. 18% were arrested for violent offenses, 11% for drug or alcohol related offenses, and 11% for non-financial/fraud related theft offenses.2. Monitor employee behavior
Changes in employee behavior or financial status should be recognized and evaluated. Disgruntled employees will inevitably show their dissatisfaction, and proactive measures should be taken to address their issues. Employees who have recently encountered financial problems should be monitored as they are more likely to commit insider theft for financial gain.3. Create and enforce clear security policies and procedures
Assessing risk factors specific to an organization and implementing the proper security policies and procedures lessens insider threat risk. These policies and procedures will vary by organization, but some essential security basics are appropriate throughout. Monitoring of file use, user privileges, logons, and downloads to removable storage devices should be in place for any employee with access to anything not in the public domain.4. Educate employees on IT security
IT security policies mean nothing if the employees in an organization are unaware of them. Upon hiring, employees should read and sign documentation addressing company security policies. Periodic re-training should take place to ensure that all employees are up to date on the current policies and procedures. Security awareness is not like riding a bike; it can be forgotten or pushed to the edges of one’s memory. Security training updates help employees keep company security at the forefront of their thoughts while conducting business.5. Enforce separation of duties
Giving users the least privileges necessary to perform their job duties is necessary to maintaining a secure environment. It is equally important to maintain least privileges when employees are promoted, demoted, or make a lateral move in the company.6. Remove user access following termination
Once an employee has been terminated, it is of the utmost importance to retract all access privileges immediately and repossess all company devices (e.g. Blackberry devices and laptops). In certain instances where termination occurs amicably, further access may be allowed for a specified period of time for the ex-employee. Though this practice is not recommended, should a business feel that it is appropriate, it would be wise to monitor this user’s access heavily to ensure safety of proprietary information and critical system or data files.7. Audit, audit, audit!
Auditing is possibly the most valuable prevention and detection method regarding insider threat. Any signs of misappropriation of information can be seen through the proper auditing tool, if used well.Any good auditing tool should be able to monitor file/folder/directory access and manipulation, changes to user privileges or group policy changes, USB storage device downloads, logons and logoffs, including failed logon attempts, and native event logs.
Reporting capabilities are important to an auditing tool. Windows logs can provide most information necessary to discover illegitimate activity; however, the logs are cryptic and take a lot of time and resources to cull pertinent data into a sensible report manually. Auditing tools should provide reporting that is clear, concise, and easily readable.
Real time alerts are quite useful when configured to alert the appropriate party to certain actions that would require immediate attention. They should be able to be sent to any number of parties, and different parties depending on the incident being reported.
If all of these steps are practiced, your risk of insider threat will be dramatically decreased. Don’t forget, as William Osler once said, that, “The search for static security – in the law and elsewhere – is misguided. The fact is security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts.” With these seven practices in mind and Mr. Osler’s words reminding us of the ever-changing state of information technology, we can proceed to protect our assets with intelligence and vigilance.
Comments