Insider threats continue to increase and make headlines. So, it is no surprise that many CISOs consider it a high priority to proactively identify and prevent these types of threats. In fact, research for the 2024 Voice of the CISO report from Proofpoint found that a third of CISOs globally see insider threats as their biggest cybersecurity challenge over the next 12 months.
A formal insider threat management programme can help your business respond faster to insider threats – and decrease their impact as well. But just having a programme is not enough. You must also be able to identify, prevent and respond to insider threats effectively and in a timely way. This ensures that you can minimise financial and brand damage.
National Insider Threat Awareness Month is an ideal time to reflect on this question: How effective is your insider risk programme? This blog post can help you find the answer. We will look at a model that you can use to evaluate the strength of your insider risk programme.
The Insider Risk Programme Effectiveness Model
You can use the Insider Risk Programme Effectiveness Model (IRPEM) to evaluate your insider risk programme and determine how well it can support your efforts to deter, detect, mitigate, and respond to insider threats. You can use the model and its attributes to evaluate where you can improve and strengthen your security posture.
The ultimate aim is to create a mature and predictive insider risk programme that helps your business identify potential risks as early as possible.
The early identification of stressors and risky behaviours can provide your business with positive response options such as a recommendation to an Employee Assistance Programme (EAP), which helps to build trust around your programme. (You can increase your ability to reduce financial loss and reputational damage due to insider threats with a programme that is both effective and trusted.)
Insider risk vs. insider threat – what is the difference?
Before we review the IRPEM in detail, it is important to clarify the difference between an “insider risk” and an “insider threat”. Many people use these terms interchangeably, but they are not the same.
An insider threat is a subset of insider risk. All insiders pose some level of inherent risk to the business given their access to the company’s data and systems as well as behavioural pre-dispositions brought with them. However, not all insiders will become an insider threat. An insider poses a threat when they use their access to systems, data and applications to somehow cause harm to the company’s finances, reputation, business relationships, people, mission, or customers either maliciously or unintentionally.
You need a strategic and tactical approach to manage both insider risks and insider threats effectively. That’s why it is important to understand how they are different.
A detailed look at the Insider Risk Programme Effectiveness Model
Now, let’s discuss the IRPEM. This model defines whether an insider risk programme’s approach is:
- Reactive (weakest)
- Proactive (moderately strong)
- Predictive (strongest)
The attributes at each level of effectiveness are not a comprehensive list. But they address the core differentiators in two key areas – personnel and training, and data collection and analysis.
The reactive approach – “When it happens, we will address it”
A reactive insider threat programme is focused on reacting to a loss event after it occurs. This can include events that involve the following:
- Data/intellectual property theft
- Sabotage
- Fraud
- Espionage
- Violence
Typically, this type of programme only offers training around how to spot these actions, and not the early warning signals that can lead up to a loss event.
Personnel and training
A reactive programme:
- Lacks formalised insider threat training for internal departments, managers, or employees; it leaves them unaware of the insider threat risk, and thus it makes them less likely to recognise when risk indicators occur
- Has no secure structure for employees to report observable insider threat behaviours
Data collection and analysis
A reactive programme:
- Lacks a formal insider threat detection strategy and incident response plan; the reaction after an insider security breach is to evaluate the technical context around the breach to determine the user’s intent
- Does not foster collaboration between relevant departments when suspected insider threat activity occurs
- Fails to identify personnel who are likely to be at high risk for leaving the company; instead, there is a retroactive evaluation of employee activity at the end of their employment life cycle to look for insider threat activity after the business knows they are voluntarily moving on or being let go
The proactive approach – “Better safe than sorry”
A proactive insider threat programme focuses on the prevention of loss events through the use of formalised policies, procedures, and training that helps to limit exposure. The use of technologies to identify insider threats before loss events occur is a feature of this approach.
Personnel and training
A proactive programme:
- Uses existing, industry-standard security policies, procedures, and compliance training to establish baseline expectations and consequence management
- Develops dedicated insider threat training for relevant internal departments to enhance their awareness of reportable insider threat risk indicators such as:
- Acceptable use policy violations
- Disgruntlement/Toxicity
- Unethical Conduct
- Corporate Card Misuse
- Unapproved Foreign Travel
- Defines a secure reporting structure to allow employees to report suspected observable insider threat behaviours
Data collection and analysis
A proactive programme:
- Defines an insider threat detection strategy, incident response, and communication plan
- Allows for a collaborative, information-sharing process between relevant departments when suspected insider threat activity occurs
- Prioritises the monitoring of identified high-risk personnel like the following:
- New employees - or those within their initial 90-day probationary period
- Exception groups - those who are placed in groups with business justification that then effectively go unmonitored
- Privileged users - those who, by the very nature of their roles, have access to high-value, critical assets, such as sensitive business or client and customer information, or access to other data, systems, materials or facilities
- Flight risks - employees who are likely to leave the company with unfavourable circumstances leading up to their departure (e.g., those who are on a performance improvement plan, are under investigation, have been demoted, have received low performance ratings that could affect their bonus, have received disciplinary action, or have had conversations with management prior to taking a leave of absence)
- Departments - employees affected by organisational changes that can lead to professional stressors; these changes can include a reduction in force, mergers and acquisitions, restructuring, a new business focus that may impact work, or budget restraints that may affect bonuses and promotions
The predictive approach – “Ahead of the curve”
This approach builds on the previous stages. It focuses on the detection of early warning signs of stressors – personal, professional, familial or financial – that may lead to the risk of insider exploitation. It incorporates the “human factor” and technical data so that analysts can build a comprehensive picture that helps them to predict potential insider threat activity – and prevent it.
Personnel and training
A predictive programme:
- Empowers department senior leaders, frontline managers and fellow employees to recognise the more subtle deviations in employee behaviours, where even the strongest technology and detections may fall short
- Strives to make your workforce the first line of defence against potential insider threats
Data collection and analysis
A predictive programme:
- Enforces insider threat detection of potential risk indicators across the enterprise; these indicators include stressors, concerning behaviours and techniques
- Prioritises enhanced monitoring of known high-risk groups
- Incorporates new high-risk groups informed by insight into the evolving risk landscape provided by threat intelligence teams, like:
- External threat actors that target disgruntled employees for access credentials or data
- Financially strained employees who may be more vulnerable and likely to engage with a threat actor for payment
With a predictive programme, you can also see trends and patterns in your organisation that help you to stay ahead of the curve and lower your risk. For example, when your IT department rolls out a new prevention control, your employees may use other routes to avoid it. This pattern can help your team find clusters of employees who need additional support.
A predictive programme also allows for an adaptable insider threat programme that has a well-defined feedback loop. Security personnel can proactively defend and respond to insider threats and share any early warning signals with other departments that may otherwise go unnoticed.
Want to find out more?
During Insider Threat Awareness Month, Proofpoint invites you to join our webinar series. You can learn about why it’s so important to have an insider threat programme that is effective, whether it is focused on data protection or insider risk.
New to the topic of insider threat management? Get up to speed with our Insider Threat Management Starter Pack.