How to tackle an insider data security threat

By: Jamie Graves

Date: 3 November 2016

How to tackle an insider data security threatIf you've detected an "insider threat" within your business that is compromising your data, what do you need to do?

An insider threat is a threat to the security of the business from someone within the organisation. It doesn't matter if the threat is malicious or completely unintentional; the result is the same – there is a threat, and it needs to be dealt with.

Here is my advice on the steps you need to take if you discover an insider threat:

Do your research: Develop a process to gather data on a user's activities to help confirm whether or not an incident is taking place.

Back up your actions with documentation: Ensure that there are appropriate security policies and/or employee agreements that back up any actions that may take place due to insider threat activity.

Classification is key: Once a security breach is identified, triage must take place very quickly. Try to find out whether suspicious activity is intentional or not.

Prioritise incidents accordingly: You need to have hard and fast rules for dealing with an insider threat. The best way to do this is using prioritisation. For example;

  • P1: Further investigation required right now, all hands on deck, containment is top priority;
  • P2: Further investigation required, all hands on deck right now to determine further actions;
  • P3: Further investigation required, all hands on deck not required;
  • P4: No further investigation required, threat mitigated or nil.

Decide on a mitigation plan: Once you have categorised and prioritised an incident, you should devise a plan based on priority level, established processes, and HR agreements. Disciplinary measures, such as seizure of all of the user's company assets, suspension of employment, or dismissal may be discussed.

Act when the time is right: With your plan in place, it is time to act. Action may include reduced or removed user privileges on high value assets, confiscation of company assets in the user's possession, an interview with your HR and/or IT team and even dismissal.

Gather more data: Once you have acted to contain the threat, it is imperative to understand when the activity may have started, if there is more than one party involved, the scope of the threat, any tools, techniques and procedures put to use, and what the intended target was (if it was intentional).

Remember; keep your policies up to date and prompt your employees to re-read them and agree to them on an annual basis. Keep an incident response plan handy. Remember that data is your friend, so it doesn't hurt to have a robust user behaviour analytics engine running behind an endpoint monitoring solution.

Sponsored post. Copyright © 2016 Jamie Graves, co- founder and CEO of ZoneFox, an Edinburgh-based cyber security company. There's more advice on dealing with an insider threat on the ZoneFox website.

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.