There are obviously more roles within the organization that will
become involved should you elect to implement technological
solutions designed to help detect, and reduce the resources
needed to investigate, insider threats. These resources will depend
on your organizational structure, and may report up to the
CISO in an enterprise, or be part of IT in smaller and mid-sized
Once you’ve identified those individuals that need to be involved,
the first step is to put some level of insider control in
place on an employee’s first day of employment.
Adjust your Hiring Process to Address Insider Risk
Insider risk begins the moment you grant access.
What’s required on an employee’s first day is to present them with a Confidentiality & intellectual Property Agreement (CIPA). This agreement is designed to put a number of insider risk controls in place:
- Define Confidential Information – The new employee should understand what categories
of information constitute confidential data and the organization’s intellectual property. By
communicating what the organization considers confidential information, the new employee
begins their employment aware of the organization’s desire to protect its’ confidential
information. This should be very specific, relying on IT and Security staff to define what kinds of information are of a sensitive nature.
- Convey Confidentiality Requirements – An awareness of what actions are and are not
appropriate when it comes to the handling of confidential information needs to be detailed. By
describing how the organization wants an employee to conduct themselves when working with
and when coming in contact with confidential information further conveys the organization’s
strong stance on protecting its’ confidential information. Legal and Security staff can provide
guidance on what kinds of actions are inappropriate to ensure employees understand their
- Communicate Expected Behavior – An emphasis on how the employee should err on the
side of confidentiality should be communicated. By establishing expected behavior, the
organization makes absolutely certain the employee has a clear picture of the organization’s
assumptions around how the employee is to treat any confidential data.
- Inform of Need to Return or Destroy – The employee should have an understanding that
any and all data that falls subject to the CIPA or is owned by the organization is expected to be
returned or destroyed upon termination of their employment.
This CIPA should be presented to every employee regardless of the employee’s position, title, level of
perceived access to sensitive information, etc. The goal of the CIPA is to level-set every employee about
how the organization seeks to safeguard their confidential information and the employee’s role in helping
maintain that protection. This is something that is commonly, but not universally done. If you were asked
to sign one when you started, you can feel good that your organization has addressed one of the most
basic building blocks of an effective insider threat program.
Making the CIPA Understandable
Because the CIPA is a legally-binding document being given to people normally having little more
experience with contracts than perhaps their mortgage, tenant, or car lease agreement, it is important to
have the CIPA written using as close to “plain English” as possible. Using clear everyday language helps
establish the effectiveness of the document as a deterrent, spelling out exactly what the organization
defines as confidential and what it expects of an employee.
It’s equally important to spell out those expectations and not have brevity be the default. For example, if
the CIPA states that “all company data and assets must be returned”, does that mean an employee simply
needs to forward a copy of an email they have, but can keep the original? Of course not. So the CIPA,
in this instance, would need to use language like “return and destroy” spelling out that an employee (or
contractor) is to have no physical or digital copies of any company data, emails, information, etc.
Define Risk Levels
In order to establish controls that allow the organization to properly detect insider risk, you must first know where you should be looking. Each position within your company has a relative level of risk associated with it. For example, a position that has access to and works directly with intellectual property puts the organization at a much higher level of risk than someone who has limited access to customer contact data. A measured response is needed for each position, relative to its level of risk. Put not enough emphasis on monitoring risky users and you will find your organization a victim of an insider attack. Put too much emphasis on ‘eyes on glass” monitoring of users that pose no real risk to the organization, and you will have wasted time, budget, and energy
How Should You Assign Risk?
So, you can see that it is important to first assign risk levels and then, based on the risk assessment, make decisions on the controls that should be in place. There are a few levels at which you can assess and assign risk:
- Based on Position – Risk can most easily and accurately be assigned by looking at a given role
or position within the organization. While the person occupying a position may change over
time, the position itself will have similar access, working locations, employee autonomy, etc.
- Based on Department – In some cases, an entire department – regardless of specific role –
presents a similar risk to the organization based on their access to confidential information, an
ability to transmit/export data, etc. A good example is the Sales department.
- Based on an Individual – In extremes cases, an individual may have extenuating access to
company data regardless of title, position, or functional role, such as the founder of a company.
The goal is to quantify a degree of risk using some method of scoring (can be 1-10, grading A-F, even by
asking Y/N questions and adding up all the Y answers). The calculation method isn’t as important as is
working through the assigning risk process and doing it consistently. The scores should be determined
using a number of both objective and subjective criteria (to properly inject the organization’s view on the
risk a position, department, or individual poses), such as:
- Access to confidential information
- Ability to export data
- Ability to freely transmit data over unsecured channels
- Amount of supervision
- Whether they work locally or remotely
- How much damage would a given employee (based on department, position,
or themselves) do if they decided to steal information
The list above is by no means comprehensive, but does provide direction around the types of criteria you
should use to start developing a scoring system. The focus should be on the ways any employee can pose
a risk to your organization, and how detrimental the repercussions of malicious actions would be if they
were to be taken by a given employee.
Once you have decided upon and finalized the questions used on your risk scoring worksheet, along with
the associated scoring method, you will work through each of the positions, departments, and individuals,
and have a number of scores.
See Guide Essentials: Quantifying Positional Risk Worksheet – use this worksheet to see examples of how you might assign risk scores.
It’s important that the criteria used be consistently across every single position, department, and individual. Why? Because when you run your very first assessment of risk and, based on your model, come up with a risk score of, say, 7 – what does that even mean? Right. Initially, nothing.
It’s not until you look at various positions, individuals, and departments and begin to see the similarities and differences in how you scored each, and use those comparisons to group risk scores into simpler levels – such as Low, Medium, and High (shown below) – that will correspond to everyday controls you will implement to detect and prevent risk (detailed in the next section).
Lastly, because risk will shift over time as new technologies, security policies, and IT processes are put in place, it’s important to perform a periodic review process to ensure the correct risk levels are assigned (and, therefore, risk controls are in place). This can be quarterly, semi-annually, or annually. You’ll need to decide how often to review both the questions and scoring system used.
Once a given risk score has been defined for a given position, department, or individual, the score should be communicated - to HR to empower them as a source of intel around personal and personnel issues that may signify a need for elevated scrutiny by your security team, and to your security team itself so they can align proactive measures to risk.
Align Risk Levels to Everyday Controls
At a very high level, the risk scores equate to how much the organization sees the position, department, or individual in terms of potential exposure. Because a successful insider attack will result in harm to the organization, the appropriate response is to watch for signs or elevating insider risk (metastasizing into threat), using an appropriate level of scrutiny aligned to their risk level. In general, those with a lower level of risk only need to be monitored with a level of scrutiny that looks for leading indicators of elevating risk. Those posing a higher level of risk need to be monitored far more carefully –with an ability to rapidly review their actions in detail if necessary.
You should group your assigned risk scores into two or more categories that correspond to implementations of the following technical controls (more detail on how to best take advantage of each of the technologies below is provided in the Guide’s Epilogue):
Lower-Risk Everyday Control – User Behavior Analytics
While those determined to pose a lower level of risk (as determined by the outcome of your Assigning Risk process) appear to be of no significant threat to the organization, it is critical to remember that risk can shift without warning, making it necessary to – at a minimum – analyze their behavior to proactively detect if the low-risk individual one day poses a higher risk based on leading threat indicators.
User Behavior Analytics (UBA) watches both an individual’s interaction with company resources and their communications, baselining what is considered “normal” in order to detect anomalies that suggest an insider threat. Using a combination of machine learning algorithms, data science, and analytics, UBA can quickly identify when an employee is demonstrating behaviors synonymous with malicious insiders – or if an external actor intent on harming the organization has compromised the credentials of the employee.
Higher-Risk Everyday Control –
User Behavior Analytics + User Activity Monitoring
For those demonstrating higher levels of risk, the organization needs to collect and maintain a system of record of their activity, while mining that activity for signs of insider threat. Employing UBA with a tighter sensitivity around anomalies makes
UAM provides the organization with ability to record, alert on, and review insider activity. To demonstrate how UAM provides value, let’s re-use example of the Accounts Payable person in a construction company pulling a list of customers. With UAM, someone in IT or Security could be notified when an Export of details is run within the AP application. A review could then be performed by playing back the activity in detail before, during and after the export to see why the insider (now a POI) pulled the list of contractors and what they did with it.
It’s this context that allows organizations to understand the intent of the employee. If it was found that the AP employee copied the exported data to a USB drive with no evidence of any request for it on the part of any superior in the company, you know you have an insider threat action. But if an email was received prior to the export from the CFO wanting to run an analysis on the data, and the export itself was printed out, it becomes clear it was an action take as part of doing their job.
Aligning Controls to Risk Levels
We’ve provided just two types of controls. But, based on organizational need and the chosen solution(s),
you may desire to take your assigned risk scores and group them into more than just two control levels.
It’s important to consider the capabilities of your chosen UBA and UAM solution(s), with an eye towards
making sure they deliver the ability to:
- Analyze – the activity and behaviors in your organization,
- Detect – meaningful events or shifts that suggest imminent risk,
- Prioritize – where your focus should be by presenting only meaningful information without
contributing to ‘over-alert syndrome’, and
- Respond – effectively and efficiently, without significant strain on the organizations people and
For example, you may have three control levels, representing those the organization deems are a low threat, those of medium risk that have access to some valuable – but not critical – data, and those of high risk with access to sensitive, confidential data.
There will need to be some work done to align the specific features of UAM and UBA solutions back to the risk-mitigating intent of each of the risk levels. It’s this alignment that will help both choose the correct solution(s), while also establishing the right number of control levels.
Address Risk During your Termination Process
One of the best practices found in the Common Sense Guide to Mitigating Insider Threats – a document written well ahead of its time by the world-renown CERT division of Carnegie Mellon University’s Software Engineering Institute (SEI) – is the need to develop an employee termination process that takes into account the threat a departing employee can pose.
Whether being terminated or leaving on their own accord, the exit period poses one of the highest risk timeframes to an organization. Loyalties quickly shift from the organization to the individual, and thoughts move from responsibilities to their soon-to-be “former” employer to a focus on the next job and its’ requirements.
To mitigate insider risk during this high-risk exit period, two processes must be put in place – one to address an employee that is being involuntarily terminated, and another to address a voluntary termination (resignation) involving a notice period. It should be noted that this guide touches on steps normally taken by HR. However, this guide is strictly focusing on those steps that help to mitigate insider risk and, therefore, should not be misconstrued as presenting a comprehensive termination process.
While having very similar steps, they should be considered separate processes to ensure service levels are properly defined and met when put into action.
This involves a situation where an employee is being laid off or discharged. Since in most cases this is not a pleasant separation, the assumption is that the employee’s loyalties will quickly diminish to zero, putting the responsibility of ensuring confidentiality and the security of organizational data and resources firmly on members of the Security team. The process should begin the moment the decision is made to terminate employment, and will include one or more of the following tasks (depending on your organization):
- Notification of desire to terminate – This is the first step in the process where internal
management notifies HR (or equivalent) of the need to terminate an employee. This needs to
be done as soon as the decision is made.
- Notify IT of termination and employee last day – IT needs to be informed that an
employee’s access will need to be revoked, and when to revoke it. This also should initiate an
audit around any organizational assets currently possessed by the employee.
- Conduct a 30-day Activity Review – A review of the last 30 days of the employee’s online
and communications activity must be conducted. In many cases, involuntary termination isn’t
a surprise to the employee and loyalties may have shifted weeks prior, giving the employee
ample time to exfiltrate data, etc. This 30-day period has been shown to be the time when a
great deal of IP and other confidential information are taken. Completing a comprehensive
review without the type of detailed information that UAM can provide in a single pane of glass
can be difficult, but if you cannot convince your organization to provide you with purpose built
tools, make best efforts using what you have – but be sure to let management know you are
giving them a report based on what you had available to you
- Notification of any inappropriate activity found – Should any questionable, or
unquestionably inappropriate actions be found during the activity review, HR and Legal should
be notified. The actions found may have consequences on how the termination itself will
- Employee notification of termination – This begins the actual process of terminating
- Review of Signed CIPA with employee – One of the first steps in every termination, the CIPA
should not just be presented to the employee, but reviewed, explaining the obligations this
document lays out – that the employee has previously agreed to. At this point, it is also prudent
to mention that the employee will be asked to sign a Certificate of Return and Destruction from
the employee prior to leaving.
- Terminate Access – While notifying the employee and reviewing the CIPA, access to all data,
systems, applications, and resources should be terminated by IT.
- Return or destruction of company property – All company property should be returned
and all company data (in all possible forms – printed, in email, stored in files on a USB drive or
cloud storage, etc.) should either be returned or destroyed.
- Obtain signed Certificate of Return and Destruction – The employee is asked to sign the
legally binding document, indicating they are taking, nor have access to, any company data –
whether confidential or not – with them once they leave the organization.
Each task should have a responsible role or individual and a service level timeframe assigned. This way
expectations are communicated to each person involved regarding expected response times. The
timeframes will vary, based on risk scores and perceived immediacy, noting that exceptions to these will
occur. Some tasks require another role or individual to be notified; this should also be documented with
a given task, when appropriate.
When an employee leaves of their own volition, this process begins the moment notice is given (one of
the differences between this and the involuntary termination process). Voluntary termination can also be
initiated by an employee no longer showing up for work a designated number of days without providing
any notice, in which case, the process begins based on HR’s definition of Job Abandonment.
The process for a voluntary termination is very much like that of the Involuntary Termination, with a few
- Employee provides notice – There is an assumption (putting job abandonment aside) that the employee will provide notice, kicking off the termination process.
- Notice period determination – The organization needs to decide whether they wish to accept the notice period, or modify it.
- Conduct a +/- 30-day Activity Review – Should an employee’s notice period be accepted, their activity from the date of notice to the date of employment termination should be reviewed in addition to the 30 days prior to the date of given notice.
Another difference will be the timeframes for each task. For example, the review of the CIPA should happen on the day of notice given, rather than the day of termination – as in the case of the involuntary termination. Lastly, service levels may also differ – such as notification of termination to IT. In the voluntary termination scenario, IT should be notified the same day notice is given, but immediately during an involuntary termination.
See Guide Essentials: Risk-Lowering Termination Process – Use this document as the basis for defining termination process roles, actions to be performed, assignments of actions, and service levels to be met.
While the entire process has been simplified down to just 5 steps, determining where to begin can be pretty daunting. Do you need to start scoring every position within the organization? You already have a job to do, so it’s unlikely you could even if you needed to.
In reality, the most important part of where to start is simply starting. Begin with any open positions that are being filled by HR – these will be filled by people you know the least. Score those positions, along with a few positions you know should be of higher risk as a point of reference. Once you have those completed, you can begin to profile positions you know represent an insider risk (just not how much) – those that daily interact with confidential data, intellectual property, customer data, and the like - and begin to build out a comprehensive set of positional risk documents.
Even if you don’t have a UAM or UBA solution ready to implement, quantifying insider risk at least gives you some perspective on how big the problem is within your organization – which may help speed up the selection and purchase of a solution to help monitor user behavior and activity.
Insider threats represent one of the greatest challenges of organizations today. Not only are they capable of involving your organization’s most confidential and valuable data, but they are also the most difficult to identify. Insider risk begins the moment the employee steps foot in the door, and ends the moment the door permanently closes behind them. So, it’s important to follow this guide from beginning to end, to properly implement controls that protect the organization from insider risk at all stages of an employee’s tenure within the organization.
By taking the steps outlined in this guide, you will have a better understanding of just how much insider risk exists, and – more importantly – where it exists. The guide also provided enough direction to put preventative steps in place to be able to thwart, detect, and – if needed – document insider threat activity.
1 Deloitte, Insider threats: What every government agency should know and do (2016)