Worried About Insider Threats? Here’s How You Build an Effective Insider Threat Program

July 24, 2019

Did you know that nine in 10 organizations report feeling vulnerable to insider attacks? Half (53%) say they’ve experienced insider attacks in the previous year. And another 69% of companies say they’ve suffered “significant data or knowledge loss” as a result of former employees taking data with them. 

There’s no shortage of statistics about the potential and actual damage that insiders can inflict, both maliciously, negligently and innocently enough. And assuming you’re managing a workforce or providing access to partners—and many organizations do both—you’re at risk. Suffice it to say that insider threats are a very real challenge and one worth addressing with a programmatic approach. So Ping Identity’s CISO Advisory Council signed up to help the industry do exactly that.


One of the most fun parts of my job is the opportunity to meet with our customers’ security leaders. The formation of our CISO Advisory Council over the past few years has allowed me to go even deeper with CISOs from our customer organizations, getting their insights and help to:


  1. Improve Ping’s products and services.
  2. Enhance their individual security programs.
  3. Create guidance to share with the industry to make us all better.

With regard to the latter, the council voted during our 2019 session to provide guidance to the industry on implementing an effective insider threat program. I invite you to read the full paper linked below. But to give you a taste of what’s included, here are the top 5 things you need to know when developing your own insider threat program. 


1. A successful insider threat program starts with the right team.

While security will naturally be a part of the team responsible for your insider threat program, we are not enough on our own. To ensure success, you also need the involvement of your human resources and legal teams. And likely, there will be other key stakeholders in your organization that should be involved early as well. Development of a cross-functional team will yield the best program and results.


2. Your company’s insider threat risk is unique, so your program will be, too. 

Your program will only be successful if it’s effective at protecting your organization from its biggest threats. These vary depending upon the business, and only you can determine what yours are. Perhaps its intellectual property theft? The pilfering of customer lists or leaking of payment data? Maybe the sabotage of critical infrastructure poses a significant threat. Since the risks you’re addressing are unique, so too will be your program. A one-size-fits-all approach won’t work. 


3. Identify all at-risk roles, not just the obvious ones.

There are certain roles that immediately come to mind when identifying at-risk insiders. Sales, finance, executives and IT are the most common. But there may be other high risk roles in your organization. For example, customer service agents may be entry-level employees with little training, but they have access to highly sensitive information. Also, developers may not be on your radar screen, but they may have the ability to add backdoors into your systems to maintain persistence even after leaving. Finally, don’t forget your partners or other third-parties who have access to your system. Taking time to think through the details of your business to identify the roles that pose a potential risk will strengthen your insider threat program. 


4. Layer in both technical and non-technical controls. 

When developing your insider threat program, your natural tendency may be to focus on the technical supports you’ll need. But don’t overlook processes that can be equally important to an effective insider threat program. When you’re working as part of a cross-functional team, you’ll gain a more holistic view of what’s possible and identify ways to apply both technical and non-technical controls, like proper onboarding, training and offboarding processes. Looking at threat management over the lifecycle of an insider’s relationship with your organization, starting with before access is granted, through to when access is terminated, will further ensure you cover your bases.


5. Technology is critical to managing insider risk—and the only constant in tech is that it’s always changing. 

While a network DLP used to be the de facto standard for insider threat management, the landscape has shifted. Technological advancements and trends—including cloud solutions (that don’t support network-based telemetry), BYOD initiatives (where you aren’t able to install agents on the device) and TLS 1.3 (which makes man-in-the-middle decryption difficult or impossible)—are making network-based DLPs an unsustainable solution. These advancements coupled with increased regulation across a range of industries are driving organizations toward more flexible end-point and application-based insider threat management tools.


Managing Your Insider Threat Program

In working alongside our customer security leaders on this initiative, I gained a couple of critical insights that I’ll share in conclusion—and in the hope that they can add value to your own insider threat program. 


The first is the importance of a cross-functional team. While insider threat management is often led by security, it’s critical that you find partners in HR, legal and other business units to join your team. As long as insider threat management is considered to be just a security function, it will be marginalized. But when we can demonstrate to leadership the critical role an insider threat program can play in protecting the assets that matter most to our organizations, we can gain the support needed to make our efforts successful and elevate the importance of the role we play.


Secondly, if your insider threat program becomes stagnant, it won’t be successful. Due to the ever-changing nature of technology, business priorities and regulatory requirements, what was good enough yesterday is not good enough today, and what we build today will need to evolve tomorrow. A successful insider threat program is one that’s flexible enough to adapt to a rapidly changing environment.


To get additional guidance on implementing or improving your insider threat program, read the white paper.


For more insights from Ping’s CISO Advisory Council, check out: