insider threat program

10 Steps for Establishing an Effective Insider Threat Program

Insider threats continue to be a concern for organizations. New research conducted by Crowd Research Partners, in coordination with the LinkedIn Information Security Group, reveals that 74 percent of organizations feel vulnerable to insider threats, while 54 percent of security professionals say insider threats are more common overall.

Part of the problem is that most organizations still don’t have the proper controls or processes in place to fight off the insider threat surge. Preparing for insider threats starts with the establishment of an insider threat program (InTP) that can be delivered and deployed across different business units. In fact, if your organization is part of the U.S. federal government or the Defense Industrial Base, you’ve already been mandated to have an insider threat program as of November 30, 2016.

One of the stumbling blocks your organization may face is transforming a program on paper into a living, breathing instrument for preventing, detecting, and responding to insider threats. After all, each program needs to be tailored to meet your unique security needs. In this blog, we will walk you through 10 essential steps you need to take to implement tangible processes, policies, and frameworks that are repeatable and sustainable to go beyond a plan that’s on paper only.

  1. Know Your Critical Assets 

    Everyone within an organization has an opinion on which assets are critical. Normally, the technical teams prioritize physical assets (databases, web servers, devices) while the non-technical prioritize different forms of data (customer data, employee data, etc.). You need to come to a consensus on which assets are the most critical. Here is a general rule of thumb: it’s difficult to label an asset as critical if your organization can still function with the information or item in your competitor’s hands. If the asset is information, document where it lives, where it originates, and who uses it. If the asset is physical, identify where it is (office, remote, third-party, etc.) and the data types it processes.

  2. Document and Enforce Policies and Controls

    It’s hard to take policies and controls seriously when they aren’t enforced. Use caution when granting exemptions to policies. Insider threats are more difficult to identify when their actions are diluted by similar policy violations that aren’t consistently enforced. Documented policies are easier to follow and minimize the potential for the workforce to perceive unfair treatment. For example, if certain employees write customized computer scripts to make their job easier, you need to make sure there is a policy that explicitly states who has ownership of that information. Document processes to handle reports of phishing and spear phishing attempts, and have a clear plan in place for education and the chain of command to prevent sensitive information and systems from being compromised.

  3. Monitor and Respond to Suspicious or Disruptive Behavior

    Insider threat prevention starts during the hiring process. Background checks should be mandatory before making a hiring decision. Make sure to ask former employers about the candidate’s competence and how they handled issues in the workplace. Supervisors and managers should be trained on organization policies and taught to recognize and report on inappropriate workplace behavior, particularly as it relates to data handling and processing, violations of the company’s social media and email usage policies, and so forth. Don’t move employees around simply because you don’t want to deal with them. Problem cases don’t go away; they just grow if left unattended.

  4. Proactively Manage Negative Work Environment Issues

    Employees often sense changes that take place across the organization before official word gets out. Organizations should inform and work with supervisors and managers to anticipate any negative perceptions prior to rolling out the details to all staff. Employees who are laid-off or terminated should be monitored for any attempted access to systems, including cloud-based applications or platforms. Always record and appropriately handle overly negative or threatening remarks from a departing employee. You never know when words will turn into action. By following a standard process for departing employees, and updating it regularly, you can avoid many problems associated with this area.

  5. Consider Insider Threats in Enterprise Risk Assessments

    Many organizations review and manage risk through formalized enterprise-wide risk assessments. However, few consider the insider threat risk during their assessment. Threats from insiders aren’t limited to your full-time employees. Contractors, third-party business partners, and former employees with access to your resources are also threats. Get signed non-disclosure agreements (NDAs) from all employees and contractors prior to allowing access to systems, including cloud-based tools and platforms like or Box.

  6. Practice Social Media Vigilance

    What exactly does social media vigilance mean? Social media vigilance in an insider threat program is entirely about prevention of the unintentional insider threat, versus detecting malicious actors. Attackers often use social media and professional networking sites to identify personal information that they can use in phishing campaigns. Educate your employees, contractors, and trusted business partners about safe social media practices, and how your organization handles infractions against your social media policy.

  7. Structure Management and Tasks to Minimize Insider Stress and Mistakes

    A happy workforce is a productive workforce. On the flip side, a stressed workforce is unproductive and prone to making mistakes. Placing unrealistic expectations will result in employees bending rules and even ethics to accomplish the goals and remain employed. For instance, in 2016, the Consumer Financial Protection Bureau fined Wells Fargo $185 million for fraud its employees had committed since 2011. Current and former employees of Wells Fargo stated they opened millions of fake accounts without customer consent to hit unrealistic sales goals. To reduce stress, choose project timelines and goals with standard working shifts and obtainable targets.

  8. Conduct Periodic Insider Threat Awareness Training

    Timeliness matters when detecting and responding to insider threats. Insider threat awareness training should be given to all employees, contractors, and trusted business partners before starting project work. According to the Information Security and Crowd Research report, 51 percent of organizations conduct user training to overcome insider threats. Effective training identifies the profile of an insider threat, describes their activities, and outlines reporting methods. Organizations that establish a culture of security are more likely to take threats seriously, stay protected, and quickly detect and respond to threats that emerge.

  9. Implement Strict Password and Account Management Practices

    Often, bad actors within an organization get other employee’s usernames and passwords by sharing access to systems or shoulder-surfing. Deterring insider threats requires stronger passwords, as well as concrete policies and practices for identifying users with a larger number of permissions. A password policy should include length and complexity requirements along with expectations for re-use and appropriate storage and sharing. Avoid using group accounts at all costs. If you must use a group account, develop a process to conduct an inventory of all users with access to the group account. Group accounts are a known vector for insider threats, as passwords don’t often change and it is difficult to prove attribution.

  10. Institute Stringent Access Controls and Monitor Policies on Privileged Users

    Half of the cases in CERT’s Insider Threat Database involved insider threats stealing confidential data or sabotaging technology. In these cases, the insider threat happened to be a privileged user. What makes privileged users unique is the organizational level of access and knowledge they possess. Therefore, the threat from privileged users is a big concern. Follow these two simple rules: write policies specific to acceptable use and expectations for privileged account use, and ensure employees read and acknowledge policies before providing account credentials. Policies alone do not ensure compliance. That’s why every privileged user policy should feature a monitoring element.


    These 10 elements of an effective insider threat program are not all-encompassing, but they are necessary steps for preventing and detecting insider threats. Policies are often overlooked in lieu of appliances to stop insider threats, but a single appliance can’t adequately do the job on its own. Organizations that want to consistently combat insider threats should get senior management buy-in and consult with people trained to tailor a program to meet their specific needs.

    Contact us to learn more about our Insider Threat Program Assessments or download the 2017 Cyber Security Trends Report.