Building an Insider Threat Program: 3 Secrets to Success

Building an Insider Threat Program Hero


Pre-employment Background Checks and Continuous Review Cycles

Internal Training and Feedback Programs

Collaboration Across Cyber and Physical Security Teams

Final Thoughts

The people that make up an organization are the greatest defense against an insider threat — but are also its greatest vulnerability. While one employee has the ability to save a business from a detrimental attack, another can cause incredible damage to a company, its brand and its people. For this reason, as you’re building an insider threat program, it is critical you evaluate mitigation efforts to maintain the good, prevent the bad and ensure success of your program.

A proactive corporate insider threat program should span across the entire organization and serve as a mechanism to help employees. Rather than implementing a complex enforcement program, or conversely, an oversimplified ‘check-the-box’ solution, consider incentivizing individuals to be actively aware of irregular behavior and know when to speak up.

The best insider threat programs generally include:

Pre-employment background checks and continuous review cycles

Internal training and feedback programs

Collaboration across cyber-physical security teams

Pre-employment Background Checks and Continuous Review Cycles

Before hiring an individual, a proper background check must be completed. The goal of a background check should be to hire the most qualified and talented candidate while ensuring honest and ethical values. This includes screening for criteria such as criminal and civil records, sex offender registrations, global watchlist references, as well as employment and education verifications.

Post-hire, managers should pay close attention for any signs of deceptiveness or other suspicious behaviors. ​​Continuous review across your organization’s systems (e.g., visitor management, access control, user activity around sensitive information, HR portals and video management) or unusual patterns should activate workflows and uncover additional information related to a threat signal.

Not only should insider threat program requirements include continuously reviewing system activity, but people leaders should also exercise proactive measures by providing regular performance reviews and educating their workforce on security best practices. These insider threat detection programs serve as reminders to employees on acceptable behaviors and allow managers to better identify individuals’ behaviors and attitudes. On top of this, managers should ensure that employees are honest about their time logs and expense reports.

Whether it’s honing in on malicious activity or identifying human error that could negatively impact the business, continuous review allows your team to quickly recognize and investigate threat signals with a comprehensive analysis and evaluation. Use workflows designed for your insider threat management program and integrate your research and data sources into one central place for ease of reporting and compliance.

Internal Training and Feedback Programs

Engage employees across the entire organization in designing insider threat mitigation strategies. The people in an organization serve as the most effective guard against insider threats. When employees are trained to recognize potential indicators of insider threat behavior and are aware of the damage insiders can cause, they are more likely to defend the company from a malicious act.

While the tone of the program is set by executive leadership, extended leadership teams, including human resources and security personnel, should continuously review patterns, behaviors and trends that will cause damage to an organization and its people.

Leadership teams are responsible for conducting routine insider threat awareness training that utilizes “active learning.” The general workforce needs to be fully engaged when it comes to recognizing aberrant behaviors and identifying the tactics that lead to malicious attacks. For example, employees need to be able to pick up on social engineering clues such as inappropriate requests, unusual context and emotional appeals. Phishing attacks are one of the most popular threat forms and training to avoid attacks should be top priority. In a 2021 benchmarking report, security awareness trainer KnowBe4 reported that untrained users fail 31.4% of phishing attempts, while the average among trained users is 4.8%. 

Potential insider threat indicators may include: co-worker conflict, vocalized stressors or negative online behavior. However, these indicators may differ by department or context, so remain adaptive to the changing threat environment.

Lastly, leadership should aim to promote a supportive reporting culture while also protecting employees’ privacy. Implement processes that support maintaining anonymity while providing easily accessible feedback channels for employees to share information to leadership. When properly implemented, these principles protect organizations against dangerous insiders who may use their legitimate access to harm the organization, even unwittingly.

Collaboration Across Cyber and Physical Security Teams

Coordination of various cyber and physical measures can serve as an important foundation when establishing an insider threat program for your organization. To foster dynamic collaboration within investigations, integrate your physical and existing cybersecurity efforts for a holistic strategy and single view of your entire threat landscape.

Jointly, security teams should exercise discipline to maintain tight controls on sensitive data, access control, encrypted communication channels, backup critical systems and devices, and update software when necessary. This mindset applies to personal safety in the office as well, including maintaining a clean and clear desk space and securing sensitive documents at all times. Among other things, the importance of protecting employee identity, credentials, and access control cards so that they don’t fall into the wrong hands. Compromising an employee’s identity sets the stage for an insider to carry out an attack, granting them unauthorized disclosure of classified information while remaining anonymous.

In collaboration with cybersecurity teams, proactively building an insider threat program helps you automate the capture of internal triggers, unusual behavior, or concerning activities. Identify ways to standardize workflow activation based on a critical signal and flag for advanced investigation, incident management, and resolution. The cyber and physical teams are uniquely positioned to scale protective efforts for their organization.

By implementing a comprehensive program that includes the entirety of the organization, unified security teams not only minimize the insider attack risk but also promote a strong, honest, and collaborative workspace.

Final Thoughts

By gathering information through pre-hiring efforts, employee feedback channels, training employees on what to look for, and collaborating across security teams, your organization will be better prepared to manage threats. When implemented correctly, insider threat programs have the ability to protect your organization and contribute to the success of your company.

Download Now

Continuous Monitoring in the Intelligence Cycle