While companies invest heavily in external cybersecurity, the risks posed by employees and contractors with legitimate access often go underaddressed. Ethics and compliance leader Rachel L. Gerstein explores how a structured insider threat working group can transform disparate departmental efforts into a cohesive strategy that identifies threats early, coordinates responses effectively and continuously improves organizational security.
Insider threats are a growing concern for companies, especially with the rise of remote work. Generally, insider threats consist of security or cybersecurity risks posed by someone with access to the company’s systems, such an employee or a third-party contractor, who intentionally or unintentionally misuses that access to hurt the company by stealing data, corrupting systems or violating policies.
Insider threats are often referred to as malicious (intentional) or negligent (unintentional). A malicious insider has a deliberate intent to harm the company, such as by engaging in espionage. A negligent insider inadvertently exposes sensitive data due to carelessness like not following security policies and protocols. Whether malicious or negligent, these threats can cause damage to a company’s reputation, compromise highly confidential data and lead to lengthy and costly regulatory investigations and lawsuits.
Companies need to be smart about recognizing insider threats. Signs of potential insider threats include accessing information outside of job responsibilities, downloading large amounts of data, having unusual patterns of access to data, disgruntled behavior or suspicious activity, especially when it comes to a company’s systems.
There are many ways to mitigate insider threats, including having strong access controls to data, training employees and third parties on security measures, strict background checks and screening processes (where permitted by law) and exit procedures for employees, such as exit interviews and timely data access restrictions. In addition to implementing these mitigation tools, companies need to be on high alert for the signs of potential insider threats noted above.
In my experience, coordinating cross-functional efforts to combat insider threats works best by forming an insider threat working group (ITWG). While required by law for organizations handling classified information (see NISPOM), an ITWG is also a highly recommended best practice for other companies. This cross-functional team includes representatives from physical security, HR, IT/information security, legal and compliance working together to prevent, detect, and respond to insider threats while ensuring legal compliance.
Key responsibilities of an ITWG include:
Risk identification and assessment
The ITWG identifies potential insider threat risks, such as unusual login locations, employees with frequent policy violations or conflicts with coworkers, disgruntled employees or third parties and employees or third parties downloading increased data or data unrelated to their jobs. To do this, close collaboration is needed between the ITWG and the teams in legal, compliance, HR and IT. For example, the ITWG would need to work with IT to ensure that the company flags any IP addresses from foreign or unexpected locations, which could indicate remote work from outside the employee’s usual area.
Developing insider threat policies
The ITWG collaborates to create and enforce policies to prevent, detect and address insider threats. Companies should establish clear security policies that define acceptable use of systems and data, including access controls, password policies, multi-factor authentication, monitoring guidelines and acceptable use rules. There should also be policies related to the handling, storage and transfer of data. Companies should also adhere to the principle of least privilege, which allows users access only to data needed to perform their jobs and no more. Further, it is important that when policies and controls are violated, there are real consequences for the relevant associates and third parties.
Understanding What Motivates Malicious Insider Attacks Can Help Inform Mitigation Strategies
Money is often prime driver — but it’s not the only incentive
Read moreDetailsDetection and monitoring coordination
The ITWG collaborates with the relevant teams to monitor policy compliance and detect fraudulent activities, such as logging in from suspicious IP addresses. It should work with IT to implement systems to monitor employee behavior and identify unusual or suspicious behavior. There should also be clear incident response procedures to quickly identify, limit exposure and remediate any insider threats or breaches. Additionally, physical security plays an important role by ensuring that only those with proper identification are allowed access to areas containing business information. There should be monitoring technologies present to deter and detect unauthorized access. Further, the ITWG should work with internal audit to conduct regular audits to identify vulnerabilities and ensure compliance with policies.
Incident response and investigation
The ITWG coordinates the organization’s response to insider threats, ensuring investigations are conducted in compliance with legal standards and that appropriate actions are taken to minimize damage and protect data. The ITWG may also benchmark with other organizations to ensure that best practices are employed in all areas of responsibility.
Prevention of insider threats
Preventive measures include employee and third-party background checks (initial and recurring), screenings, identifying false IDs, exit interviews and monitoring employee and third-party behavior. The ITWG collaborates with teams like HR and IT to ensure comprehensive preventive strategies are in place. Further, the ITWG can advocate for data loss prevention (DLP) solutions to detect and prevent data loss or exfiltration. The ITWG also reviews cases of fraud, insider threats, etc., from other organizations to identify external lessons that can be learned and potential preventive measures.
Cross-functional collaboration
ITWG members from various functions provide a holistic approach to insider threats. The teams on the ITWG are the ones engaged in all relevant activities, from assessment to prevention to investigation when incidents arise. They also allow for information to be quickly cascaded up or down in their relevant functions. By sharing insights, past experiences and effective strategies, the team fosters a culture of continuous learning and improvement across the organization, with the goal of reducing and containing insider threats.
Training and awareness
The ITWG plays a vital role in creating and promoting employee, and possibly third party, training on recognizing and reporting suspicious activity. Regular training on insider threats and the company’s security policies should be conducted. Another area of opportunity is creating a security culture, where employees truly understand the importance of security and their role in protecting data and systems. Further, the ITWG works with legal, HR and compliance to ensure employees feel safe reporting threats without fear of retaliation.
Continuous improvement
After any insider threat incident, the ITWG conducts a retrospective review to capture lessons learned and identify improvement opportunities. Those lessons learned should be shared with relevant team members outside the ITWG, including within senior management. In addition to learning lessons from its own experiences, the ITWG should ensure it stays informed about emerging insider threats occurring at other companies and that it updates policies and systems accordingly.
Collaboration with external groups
The ITWG should collaborate with industry groups and government agencies, with the input and support of senior management, to share best practices and intelligence. This can be a sensitive area, so the ITWG should ensure that all the relevant team members, including senior management, are consulted before a decision is made to provide information to external groups.
Clearly, the ITWG has a huge amount of work to do. It should meet at least quarterly, and there should be a leader who sets clear agendas, priorities and timelines with input from the larger group. The work of the ITWG can be part of a report out to senior management and even the audit committee or other board committee. This kind of cross-functional collaboration can lead to a significant reduction in insider threat risk.
Rachel L. Gerstein is an ethics and compliance professional, most recently serving as managing vice president of global ethics & compliance counsel at Gartner. Prior to Gartner, she was executive director of ethics and compliance at Avon. She began her legal career as an associate at Weil Gotshal & Manges, later moving to Akin Gump Strass Hauer & Feld. 
