ObserveIT CEO Michael McKee explained what it takes for an organization to develop and deploy an effective insider threat program in his presentation to Argyle’s CISO membership at the 2017 Chief Information Security Officer Leadership Forum in Chicago on May 4. In his presentation, “Best Practices for Building an Insider Threat Program,” McKee described insider threats and how an organization can detect and resolve such problems consistently.
According to McKee, insider threats are becoming increasingly prevalent at organizations of all sizes. However, few organizations allocate the necessary time and resources to identify and resolve insider threats effectively.
Many organizations have been able to resolve external threats successfully, McKee said. Conversely, organizations that fail to identify internal dangers put their brands, revenues and customers at risk.
“Organizations have done a good job of mitigating the external threat, but now they need to focus on the internal threat,” McKee stated. “A lot of the big data breaches start with a single person, and a lot of organizations don’t have visibility on what people are doing.”
McKee offered the following tips to help an organization build a successful insider threat program:
1. Ensure Organizational Commitment
Organizational commitment is the centerpiece of an effective insider threat strategy, McKee said.
“The insider threat touches all parts of the organization … and you’ve got to make sure that you have first-class players from all of the different organizational functions.”
If an organization teaches its employees about the risks associated with insider threats, it may be better equipped than others to mitigate such issues.
“You can patch vulnerabilities, but you can’t patch people,” McKee said.
2. Focus on Detection and Response
A successful insider threat program requires an organization to emphasize insider threat detection and response, McKee pointed out.
To detect insider threat, organizations need the right tools and technologies to find out about what employees, vendors and other insiders are doing. That way, organizations will be able to identify insider threats before they can escalate.
“Understanding what privileged users are doing … is really important,” McKee indicated. “A lot of people are just trying to get their job done. But by doing so, they’re sometimes putting their organizations at risk.”
Moreover, organizations must have plans in place to deal with insider threats and prevent them from recurring.
“You can patch vulnerabilities, but you can’t patch people.”
Organizations should develop clear-cut insider threat protocols. In addition, organizations should share details about these protocols with workers and ensure employees understand the dangers associated with releasing sensitive information to external parties.
3. Develop an Insider Threat Solution Checklist
McKee recommended organizations use an insider threat solution checklist that includes the following parts:
- Detect: An insider threat solution should make it simple for organizations to identify insider threats both now and in the future.
- Deter: The solution must help an organization deter insider threats consistently.
- Educate: The solution should help an organization teach its employees about insider threats and the dangers they pose to the organization.
- Prevent: The solution should empower users to do everything possible to prevent insider threats from happening.
- Investigate: The solution should enable users to understand where insider threats are coming from to help them control these problems over an extended period of time.
Using this checklist may prove to be exceedingly valuable to organizations around the world, McKee said. With this checklist in hand, organizations can better understand whether an insider threat solution is ideal based on their cybersecurity needs.
4. Emphasize People, Not Machines
Although technology is an important part of a successful insider threat program, people within an organization ultimately dictate a program’s success, McKee noted.
“Start with the people and the process,” McKee said. “Technology is an enabler, but it is not the solution.”
An organization should foster collaboration among various departments to develop a successful insider threat program, and for good reason.
Insider threats can affect all departments across an organization, McKee stated. As such, an organization that involves all departments in the creation of an insider threat program may be able to teach all workers how to identify and resolve insider threats day after day.
Introducing a team-first approach to insider threats may help an organization gain control over its insider threat program, McKee said.
With this approach, an organization can emphasize the dangers associated with insider threats, along with the ways insider threats can affect all employees, in all departments, at all times. As a result, an organization can provide all employees with the insights they need to contribute to a successful insider threat program.
“The insider threat is truly a team sport,” McKee noted. “The insider threat touches all parts of the organization … and you’ve got to make sure that you have first-class players from all of the different organizational functions. It’s essential to take a team approach.”
Visit Argyle Executive Forum's 2019 CISO Leadership Forum: Security 3.0 – Shifting to Automation in New York, NY on Nov 13, 2019
Boeing's CSO on Starting an Insider Threat Program