Where do you start when building an insider-threat programme?

Identify and prioritise your critical data, where it's held and who has access to it as the first steps to build your insider-threat programme advises Keith Lowry, and look at it as a business and not a technology issue.

Where do you start when building an insider-threat programme?
Where do you start when building an insider-threat programme?

When looking at companies wanting to set up an insider-threat programme, some companies employ the right mix of technology, process and awareness, while others often still have a lot of work to do. But one question that often comes in initial discussions is "Where do we start?"

The answer is very simple. “At the beginning.”

That's easier said than done, though. Implementing an insider threat programme isn't always straightforward. The reason why insider threats are such a major concern today is because people within an organisation are responsible for a significant amount of attacks on company data. This is demonstrated by IBM's 2015 Cyber Security Intelligence Index, which pins 55 percent of all attacks on insiders, a combination of malicious efforts and inadvertent actors.

The data that's at risk isn't shrinking either. Its often suprising just how much information organisations have stored on their systems. With data stowed in so many places and accessed by so many people, it's understandable that when companies start trying to protect all this information, they freeze.

Creating an insider-threat programme from nothing requires some serious time in order to do it right. Here are a few basic tips to think about when you set out on that journey.

1: Know your data

You can't protect something you don't know anything about. It's extremely important to catalogue the information your systems contain. Additionally, it's important to ask yourself questions such as “what server is that data on?”, “where is that information physically located?” and “who has access to that application?” This is a much more vital step than many organisations realise.

A formal data map and access audit are the foundations for a successful insider-threat programme.

2: Set priorities

At one organisation in the process of mapping its data to create an insider threat programme, among other purposes, they were asked “Have you identified your crown jewels?” By which was meant, which applications would cripple the organisation if they were compromised?

They proudly answered “Yes, all 80-plus of them.”

While giving them credit for trying to prioritise their data - more than 80 crown jewels? Really? That's simply too many priorities to work with. Instead, it was recommended that they try to create priorities within those applications by considering which apps or data were the most compromising and place those specific items at the top. These priorities are what we consider to be their critical value data.

While massive databases of customer data are extremely important, sometimes very specific documents like strategic plans or company financials would prove more damaging if they fell into the wrong hands. These are also easier to identify and protect than huge sets of data, which can come later on in the process.

3. Technology isn't the only factor

Insider threats are not merely a technology problem. They're also a risk management problem. An organisation needs to set this expectation early and bring it up often during the building and implementation process. You may need to elevate insider threats out of the IT department; to give this concern the proper attention it needs to make its way to the C-suite and the boardroom.

Many “programmes” are technical implementations, tools that sound good when they are pitched or demonstrated but often fall short when they are installed and start getting used in a real environment. It's not unusual that shortcomings arise because the right training, procedures, awareness and other supporting factors haven't been put into place, or they don't do everything they say they can do.

To build a successful insider threat programme it's important to take into account all the above points. By clearly setting the expectations with the leadership (not just IT leadership, but all leadership) within the organisation, targeting the most critical value data, and focusing equal attention on the factors surrounding the technology, you can pave the way for an effective, functional and complete inside- threat programme.

Contributed by Keith Lowry, senior vice president, Business Threat Intelligence and Analysis, Nuix