In May of 2016, the Department of Defense published a new regulation requiring government contractors to establish and maintain an insider threat program to detect, deter and mitigate security risks from within. The fact that the U.S. government is mandating an insider threat program has gotten the attention of private business leaders and boards of directors. Many companies are now building or enhancing their insider threat program beyond classified information security.

Knowing the risk

Insider threat is any risk posed by current or formerly trusted individuals with access or privileged knowledge used to damage, deprive, or injure stakeholders, assets, critical processes, information, systems or brand reputation. Insider threats include any illegal, prohibited or unauthorized conduct (both acts and omissions).

Is insider threat becoming a bigger issue to companies? When asked about top risks to organizations, a practitioner poll showed that insider threat came in second place after cybercrime. However, in the same poll, only 46 percent of respondents had a formal insider threat program in place. The most often cited thing organizations were doing to address this risk was monitoring access to systems and physical assets.

“The biggest organizational hurdle to combating insider threat is the diversity of functions that manage these varied sources of information.”

Preempting the threat

However, leaders are looking for new tools and resources to proactively address insider threats. Newer sources of early warning indicators can consist of information from social media, “dark web” criminal activity monitoring, real time reporting of arrests and associated information and civil court final proceedings.

This should be combined with internal corporate data including performance data and corrective actions taken. All this information has the potential to identify and communicate behaviors that could signal a troubled person or a troubling situation that could escalate to an insider threat action.

The biggest organizational hurdle to combating insider threat is the diversity of functions that manage these varied sources of information. There will never be a perfect process to identify all risks to people and organizations proactively — there are just too many variables. However, when a unified risk oversight model that promotes the inclusion of all corporate stakeholders and possible information sources is used, the likelihood of avoiding significant losses or incidents is greatly reduced.

How vulnerable is your company to insider threat?

How many of these questions can you say yes to? Find out your risk below.

  • Do you know who is responsible for pre-employment screening in your enterprise?

  • Do you get regular reports on pre-employment screening results?

  • Do you know the screening criteria and whether they contain the elements that would most likely indicate an insider risk?

  • Do you have a program that identifies potential violence at its earliest stages?

  • Does your company have a behavior analytics reporting system on your key computer assets?

  • Do you track and investigate unusual access attempts to facilities, information and systems by employees and contractors?

  • Have you recently reviewed your separation of duties and responsibilities?

  • Have you asked all of your key managers what insider threat events they're monitoring for?

  • Did they all answer appropriately, or are you confident they would if asked?

  • Have you asked all your direct reports what steps they've taken to reduce brand, people, property and product risk from insiders?

  • Is an assessment made of the access rights of every employee leaving the company, and appropriate actions taken to revoke those access rights?

Scoring:

If you answered yes to 5 or less: High Risk

You need to become more involved in your risk oversight process and learn what controls the organization has in place.

If you answered yes to 6-8: Moderate Risk

You are probably concerned and involved with risk management but should broaden your horizon to other areas of risk.

If you answered yes to 9 or more: Low Risk

You clearly have a good understanding of insider risk and the controls; or you've recently had insider security breaches.