If you've detected an "insider threat" within your business that is compromising your data, what do you need to do?
An insider threat is a threat to the security of the business from someone within the organisation. It doesn't matter if the threat is malicious or completely unintentional; the result is the same – there is a threat, and it needs to be dealt with.
Here is my advice on the steps you need to take if you discover an insider threat:
Do your research: Develop a process to gather data on a user's activities to help confirm whether or not an incident is taking place.
Back up your actions with documentation: Ensure that there are appropriate security policies and/or employee agreements that back up any actions that may take place due to insider threat activity.
Classification is key: Once a security breach is identified, triage must take place very quickly. Try to find out whether suspicious activity is intentional or not.
Prioritise incidents accordingly: You need to have hard and fast rules for dealing with an insider threat. The best way to do this is using prioritisation. For example;
- P1: Further investigation required right now, all hands on deck, containment is top priority;
- P2: Further investigation required, all hands on deck right now to determine further actions;
- P3: Further investigation required, all hands on deck not required;
- P4: No further investigation required, threat mitigated or nil.
Decide on a mitigation plan: Once you have categorised and prioritised an incident, you should devise a plan based on priority level, established processes, and HR agreements. Disciplinary measures, such as seizure of all of the user's company assets, suspension of employment, or dismissal may be discussed.
Act when the time is right: With your plan in place, it is time to act. Action may include reduced or removed user privileges on high value assets, confiscation of company assets in the user's possession, an interview with your HR and/or IT team and even dismissal.
Gather more data: Once you have acted to contain the threat, it is imperative to understand when the activity may have started, if there is more than one party involved, the scope of the threat, any tools, techniques and procedures put to use, and what the intended target was (if it was intentional).
Remember; keep your policies up to date and prompt your employees to re-read them and agree to them on an annual basis. Keep an incident response plan handy. Remember that data is your friend, so it doesn't hurt to have a robust user behaviour analytics engine running behind an endpoint monitoring solution.