Skip the navigation

Revamping your insider threat program

Why it's important to do now, and factors to consider.

By Sandra Gittlen
July 14, 2014 06:30 AM ET

Computerworld - Think headlines about data theft and leakage have nothing to do with you? Think again. Many of these incidents have a common theme: Privileged access. It's your job to make sure your organization doesn't fall victim to the same fate by at the very least examining your existing insider threat program, and perhaps doing a major revamp.

Edward Snowden's theft and release of National Security Agency data, Army Private First Class Bradley Manning's disclosure of sensitive military documents to information distributor WikiLeaks and the shooting at the Washington Navy Yard by a credentialed IT subcontractor have given IT executives across industries pause to reconsider their security policies and procedures.

Tips for insider-threat mitigation

  • Build a multidisciplinary team consisting of IT, HR, legal and key lines of business
  • Target people and areas with privileged access
  • Look at data flows -- within the company and anything going out
  • Understand the information needs of customers, employees and suppliers
  • Balance the needs of employees with the company's security requirements
  • Create guidelines, and communicate them in employee handbooks and elsewhere
  • Use technology to enforce your guidelines
  • Create whistleblowing programs to keep anonymity intact -- of both the accuser and the accused

-- Sandra Gittlen

"A crescendo of discussions is happening in boardrooms everywhere about the impact an insider could have on corporate assets," says Tom Mahlik, deputy chief security officer and director of Global Security Services at The MITRE Corporation, a government contractor that operates federally funded research and development centers.

The Washington Navy Yard incident cost 12 people their lives; the full impact of the WikiLeaks and Snowden data releases cannot yet be quantified.

"These incidents have added another dimension to the threat paradigm -- privileged access," Mahlik says.

Mahlik suggests that existing insider threat programs must increasingly be focused on users with elevated or privileged access to critical information. To that point, he is leading an overhaul of MITRE's own program. His goal is to understand the threats insiders pose and to deter those threats via a program that synchronizes people, policies, processes and technology. "We are in the nascent stage of this effort," he says.

Realizing the new threat

For a new or rehabbed insider threat program to be successful, the CIO, CISO or CSO first has to gain boardroom buy-in and illuminate the value such a program would have to a company in detecting and preventing harm to people, property and company reputation. A thorough assessment of the known or existing vulnerabilities and threats, weighed against the overall company risk appetite, is essential.

For example, if a company manufactures a unique product, then intellectual property would be a key focus area for the insider threat program. But if a company provides medical services, then protecting patient records would be the emphasis.

   Tom Mahlik
"A crescendo of discussions is happening in boardrooms everywhere about the impact an insider could have on corporate assets," says Tom Mahlik, deputy chief security officer The MITRE Corporation.

Don't try to create an insider threat program during an attack or suspected attack. "That is the worst time to build any program with efficacy," Mahlik says. "You can't build relationships in a time of crisis."

Instead, companies should tackle planning, design and baselining as a necessary and continuous business process. "Institutionalizing a playbook and conducting [drills] before the crisis is the ideal," Mahlik explains.

In most cases, the first place to look for gaps in security is the flow of data in and out of the company. "People can move lots of data around very quickly today," says Dan Velez, senior program manager for Raytheon Cyber Products' SureView insider threat detection and prevention product line. "While that's good for business, it's bad for risk," he notes.

Traditionally, organizations have been good about protecting the perimeter but not what's inside it. "It's time to pull the covers back and examine more closely what's happening on our networks," he says.

Focus on data flow, Velez advises, because newer technologies such as cloud computing and mobile computing are being introduced to the organization on a daily basis, potentially altering the pool of privileged users. In addition, some companies continue to outsource pieces of the business, giving access rights to humans and machines beyond the company's immediate control.

Defining the threat

"When we talk about the 'insider threat,' we are talking about someone or something with authorized access [who] could use that access to do harm," Velez says. Mahlik agrees, adding insiders could be employees, business leaders or supervisors, contractors, subcontractors or supply chain partners.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!