5 Things to Consider for an Insider Threat Audit

In today’s world of information technology, insider threats are one of the primary reasons for security breaches. The definition of insider threat includes not just intentional malicious actions but also accidents and cases of negligence. According to the Ponemon Institute’s 2022 Cost of Insider Threats Global Report, “insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third to $15.38 million.” This insider threat risk upward trend has been observed by different stakeholders in previous years as well.

To combat this rising information security threat, organizations must develop insider threat mitigation programs. An insider threat program is defined by the National Institute of Standards and Technology (NIST) as “a coordinated collection of capabilities authorized by the organization and used to deter, detect, and mitigate the unauthorized disclosure of information.”

In addition to developing programs, organizations should also perform regular audits of these programs – both internally as well as with the help of third parties. Insider threat mitigation approaches are also examined during most compliance audits. Efficient auditing of your security policies for risk assessment and risk management is critical to business success and allows you to find any vulnerabilities in your security program and mitigation strategies.

The Insider Threat Mitigation Guide

The United States Cybersecurity and Infrastructure Security Agency (CISA.gov) publishes a freely accessible, extensive guide to insider threats called the Insider Threat Mitigation Guide. The most recent edition of this guide was published less than 2 years ago and contains a wide array of information and suggestions that help every organization, no matter the size or industry, to build a successful insider threat mitigation program.

The CISA guide includes recommendations for measures to employ in your mitigation program. It’s worth noting that data loss prevention (DLP) solutions are listed as the number 2 most common measure right after user awareness training. Therefore, data loss prevention can be perceived as the baseline technology to help organizations avoid security incidents as a consequence of insider activity.

Here are 5 important issues mentioned in the Insider Threat Mitigation Guide that you should consider for an internal insider threat audit to verify how well your insider threat mitigation program performs in practice, primarily from the point of view of data loss prevention.

1. Good Practices are Not Enough

Many insider threat programs focus on security awareness, education, monitoring of work conditions, and other tasks falling primarily on human resources departments. It is a very good assumption that if employees are well-trained and well-treated, the risk of potential insider threats, whether accidental, intentional or caused by negligence, is greatly reduced.

However, while these good practices should indeed form the basis of the insider threat program, they are not enough to eliminate all the potential threats. Even the best-trained employee makes mistakes. Even if all your personnel is very well paid and well treated, they may be tempted by a large sum to steal trade secrets and sell them to competition, as in the 2011 AMSC/Sinovel case.

Your program begins with best practices but it’s a good idea to follow up with more. Quoting the CISA guide, it should “employ practices and systems that limit or monitor access across organizational functions. Those practices and systems, in turn, limit the amount of damage an insider can do, whether the act is intentional or unintentional.” As part of your internal audit, you should make sure that all elements of the program are equally effective.

2. Prevention Requires Careful Monitoring

Not all employees pose the risk of becoming malicious insiders. According to PricewaterhouseCoopers, only 10% of employees exhibit disruptive behavior. Therefore, one of the most important goals of mitigating insider threats is finding high-risk employees and ensuring that their actions are well-monitored.

Disruptive behavior often begins with low-risk malicious activities that follow similar patterns to high-risk ones. For example, if an employee has a tendency to send potentially sensitive information to co-workers or business partners via email or messaging platforms, these attempts at first may be of low potential impact. Then, they may escalate to major problems involving sending critical data to outsiders such as former employees. Due to this, the mechanisms employed as part of the mitigation program must include monitoring of all information systems accessed by potentially malicious insiders and steps to increase access controls to improve safeguarding for those that were found to exhibit suspicious behavior.

Your insider threat audit should therefore observe whether there are mechanisms to effectively monitor potentially disruptive behavior when it starts and whether warnings supplied by automated systems lead to access limitations or increased monitoring.

3. Action Should Be Taken Before Escalation

As mentioned above, escalation management is a very important aspect of insider threat detection and insider threat awareness. Potentially malicious insiders that have malicious intent may start with actions that seem obvious and are easy to block. For example, they may try to copy the company’s intellectual property onto a pen drive or send it to their own private email. If that fails, however, they may simply try to take a photo of their endpoint’s screen using their private mobile device, and that type of action is very difficult to prevent.

If alarms are raised based on user activity and IT security system administrators react to them in real-time, such escalations could lead to effective incident response with the use of cameras and the examination of private devices upon an attempt to leave the company premises, which would, of course, need to involve law enforcement. However, for such reactions to be possible, there is a need for early detection and an effective alarm system that is not plagued by false positives.

4. Identification of Sensitive Data Should be Automated

Malicious insider activities may take on different forms. The CISA guide identifies five expressions: violence, espionage, theft, sabotage, and cyber – the last one includes all four of the other expressions but in the context of computer systems, not physical security. While the consequences of violence and sabotage are primarily insider attacks that lead to disruptions of critical infrastructure, both theft and espionage are associated with unauthorized access to sensitive information.

The larger the organization, the more diverse information it processes, and the more chance that some of this information is sensitive data. The more systems employees have access to, the bigger the chance that they have access to some kind of sensitive information. Even the most thorough data identification programmes may accidentally omit some sensitive data.

To make sure that insider threats have limited access and cannot steal sensitive information, the mitigation solutions must be able to identify such information automatically instead of relying on manual activities. Therefore, your audit should check whether the measures employed to mitigate data loss can perform such automatic identification effectively.

5. Go Beyond Data Loss Prevention

While data loss prevention solutions have been listed by the CISA guide as the most important technological tool to help mitigate insider threats to IT systems, there are several other technologies that are recommended as well. They include user behavior analytics, employee monitoring & surveillance, security incident & event management (SIEM), incident response management (IRM), threat intelligence sharing, privileged access management (PAM), and network traffic intelligence.

Your insider threat audit should see whether such measures are in use as well and, if not, are the areas covered by these solutions, such as network access and connectivity, authentication, and privileged users protected with the use of different tools, systems, or procedures. Completeness is one of the most important aspects of a mitigation program simply because all it takes is just one small leak to wreak havoc on the business.