(Updated 10/19/2020) Building an effective insider threat management program is a team sport. It requires the involvement of not only the security team, but also legal, HR, compliance, and many other professionals in the organisation. The goal of this Professionals Series is to help security teams navigate their relationship to other roles within an insider threat program. Ideally, knowledge of the complex nature of insider threats can help speed incident response and establish the right policies and procedures for prevention.
To kick off our series, we’ll explore the ideal relationship between security and legal teams within an insider threat program. This includes division of responsibilities, how to establish best practices, and what to do when an actual incident takes place.
How Legal Can Help Establish Insider Threat Best Practices
An important theme when establishing an insider threat program is balancing security and user privacy. The former involves protecting your organisational assets, including people, information, facilities, intellectual property and brand reputation. The latter includes ensuring that your employees are not subjected to invasive intrusions that breach their reasonable expectations of privacy.
To make sure that security and privacy are effectively balanced, security teams should consult a legal professional on topics such as relevant employment laws and user privacy rights. Legal teams can also walk through a list of things to consider to help mitigate insider threats from a policy perspective, as well as adequately protect employees with the proper disclosures.
For example, most U.S. states abide by at-will employment laws, which give employers the ability to leverage user activity monitoring, among other types of monitoring, as a condition of employment. Most states do not require employers to obtain employee “consent to monitor,” although it is a best practice to do so. A legal professional can help security teams navigate the proper documentation for this type of consent, and similar types of issues. In addition, tools like Proofpoint Insider Threat Management can take user privacy a step further by anonymising user data on an ongoing basis during the monitoring process, particularly personally identifiable information (PII).
Finally, it is increasingly important to implement clear security policies and training programs. These set the tone for the company culture and demonstrate transparency. And at the same time, they promote an understanding of boundaries and parameters that are necessary to keep the company secure. Documentation of policies can also be used as evidence to show knowledge and training in support of discrimination lawsuits and unlawful termination lawsuits. Security teams should work with legal to review corporate policies, and ensure the proper documentation is in place as evidence of training.
Working with Legal to Navigate an Insider Threat Incident
In the event of an insider threat incident, the entire cross-disciplinary team must spring into action during incident response. Specifically, legal should be prepared to help security teams navigate some of the timelines and communications around breach disclosure, in tight coordination with local compliance regulations. It’s also important to note that at the outset, organisations should have a lawyer thoroughly review which local, national or international laws apply as you develop security and privacy policies.
For example, under GDPR article 33, organisations need to notify authorities of a data breach within 72 hours of becoming aware of it. Beyond notifying authorities, teams must comply with specific local regulations and timelines around customer disclosures. In addition, any statements regarding the data breach (such as blogs, social media posts, press releases, customer emails or internal employee communications) should be thoroughly reviewed by legal.
During the insider threat investigation process, once evidence is gathered by the security team, legal can use reports from tools like Proofpoint Insider Threat Management that indicate who did what, when, where and why to build a case as needed. After a thorough review of the evidence, legal and HR can coordinate around the appropriate resolution for the responsible employee or employees. While some incidents may warrant termination or disciplinary action, others are caused by unintentional user actions. These can often be remedied with further cybersecurity awareness training.
Want to know more about how security and legal teams interact within an Insider Threat program? Download our Ultimate Guide to Building an Insider Threat Program today.