3 Ways to Stop Insider Threats

CISOs can prevent and protect against risky employee behaviors — from the careless to the malicious.

In July 2019, global hotel chain Marriott International was charged with a $123 million fine for leaking the data of more than 380 million hotel guests in the U.K. The incident was attributed to poor monitoring efforts and employee negligence — both of which were completely preventable had the IT systems been secured from internal threats

Although mature organizations have well-defined incident response plans and procedures for common security events, few have dedicated efforts to better understand how to mitigate and respond to insider threats. This makes combating insider threats one of the most critical issues for chief information security officers (CISOs). 

CISOs need to know who is at risk, what the source of the risk is and what the triggers are that can activate risky behavior

“Insider threats are a reality, and CISOs must account for these when creating an incident response plan,” says Jonathan Care, Senior Director Analyst, Gartner. “To combat these threats, CISOs can’t simply deploy a product, implement a process or increase user awareness. Insider threats require a multifaceted, multidisciplinary approach.” 

Rethink the Security & Risk Strategy

Why leaders must embrace modern cybersecurity practices

Download eBook

But building incident response scenarios to account for every conceivable type of insider threat imaginable would take more time and resources than any single organization can apply. Instead, CISOs can build threat scenarios focused on three key areas:

  • Capabilities for monitoring and surveillance
  • Profiles and personas specific to their organization
  • Past insider incidents

Invest in employee monitoring and surveillance capabilities

Invest in monitoring and surveillance capabilities to gain a better understanding of, and more visibility into, people and assets — from how data is handled to identifying employee behaviors that don’t follow standard policy. Such investments will help you efficiently roll out response, mitigation and recovery when violations occur.

“CISOs need to know who is at risk, what the source of the risk is and what the triggers are that can activate risky behavior,” says Care. 

Thorough background checks of employees and vendors and monitoring anomalous data exchanges gives CISOs a view into user entity behavior analytics. This is critical for understanding sources of risk and their subsequent risk mitigation plan.

Build profiles and personas

Incident response scenarios come from developing user profiles and personas that can help identify unusual behavior for users or groups with high-risk activities.

Identify the potential risky behaviors and map them against potential solutions or mitigation. While they will vary by organization, common scenarios include installing unsanctioned software, failing password attempts and attempting access to other employee accounts. As you get more in-depth insight into user profiles and personas, these scenarios could be made more pointed. 

“Once context-specific incident response scenarios are identified, iterate the actions to include specific users or groups to indicate whether the actions warrant escalation to an incident,” says Care. 

Examine past insider threat incidents

Look to past insider threat incidents in your organization and use them to test and refine your incident response preparation and readiness. Work with your legal and HR teams to do so, as they typically document such incidents. You can also examine post-incident reporting and add it as a critical source to your scenario planning. 

Remember that past incidents can help you create a playbook of use cases and implement incident management process improvements, such as adding future incident indicators for actions or behaviors that were missed. 

Gartner clients can read more in How to Build Incident Response Scenarios for Insider Threats by Brian Reed and Jonathan Care.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching