3 Ways to Stop Insider Threats

August 26, 2019

Contributor: Manasi Sakpal

CISOs can prevent and protect against risky employee behaviors from the careless to the malicious.

In July 2019, global hotel chain Marriott International was charged with a $123 million fine for leaking the data of more than 380 million hotel guests in the U.K. The incident was attributed to poor monitoring efforts and employee negligence — both of which were completely preventable had the IT systems been secured from internal threats Although mature organizations have well-defined incident response plans and procedures for common security events, few have dedicated efforts to better understand how to mitigate and respond to insider threats. This makes combating insider threats one of the most critical issues for chief information security officers (CISOs). 

“ CISOs need to know who is at risk, what the source of the risk is and what the triggers are that can activate risky behavior”

“Insider threats are a reality, and CISOs must account for these when creating an incident response plan,” says Jonathan Care, Senior Director Analyst, Gartner. “To combat these threats, CISOs can’t simply deploy a product, implement a process or increase user awareness. Insider threats require a multifaceted, multidisciplinary approach.” 

Read more: Gartner Top 7 Security Risk and Trends for 2019

But building incident response scenarios to account for every conceivable type of insider threat imaginable would take more time and resources than any single organization can apply. Instead, CISOs can build threat scenarios focused on three key areas:

  • Capabilities for monitoring and surveillance
  • Profiles and personas specific to their organization
  • Past insider incidents

Invest in employee monitoring and surveillance capabilities

Invest in monitoring and surveillance capabilities to gain a better understanding of, and more visibility into, people and assets — from how data is handled to identifying employee behaviors that don’t follow standard policy. Such investments will help you efficiently roll out response, mitigation and recovery when violations occur. “CISOs need to know who is at risk, what the source of the risk is and what the triggers are that can activate risky behavior,” says Care.  Thorough background checks of employees and vendors and monitoring anomalous data exchanges gives CISOs a view into user entity behavior analytics. This is critical for understanding sources of risk and their subsequent risk mitigation plan.

Build profiles and personas

Incident response scenarios come from developing user profiles and personas that can help identify unusual behavior for users or groups with high-risk activities. Identify the potential risky behaviors and map them against potential solutions or mitigation. While they will vary by organization, common scenarios include installing unsanctioned software, failing password attempts and attempting access to other employee accounts.

As you get more in-depth insight into user profiles and personas, these scenarios could be made more pointed.  “Once context-specific incident response scenarios are identified, iterate the actions to include specific users or groups to indicate whether the actions warrant escalation to an incident,” says Care. 

Examine past insider threat incidents

Look to past insider threat incidents in your organization and use them to test and refine your incident response preparation and readiness. Work with your legal and HR teams to do so, as they typically document such incidents.

You can also examine post-incident reporting and add it as a critical source to your scenario planning.  Remember that past incidents can help you create a playbook of use cases and implement incident management process improvements, such as adding future incident indicators for actions or behaviors that were missed. 

Read more: 5 Security Questions Your Board Will Definitely Ask

Experience Information Technology conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.

Drive stronger performance on your mission-critical priorities.