Jo-Ann Smith, director of Technology Risk Management and Risk Privacy at Absolute, mentioned how the insider risk management team, should meet on a regular basis to update policies. “Once in place, it's then critical to create and maintain a risk register that both qualifies and quantifies risks for remediation, and subsequent mitigating steps. To demonstrate progress, the team should create KPIs and then audit and report on risk levels to show status and improvement year over year.”
Schindilinger said the risk management team can also help ensure that the company’s “whistleblower” policy and procedures are feasible, easy-to-navigate, and able to be enacted quickly in the event that an insider threat is identified. “Most importantly, this team should work with the company’s leadership to establish a culture of transparency and accountability – ensuring that policies are rigorously enforced, and that anyone who comes forward with information regarding a potential threat is rewarded - not penalized or ostracized - for doing so.”
She added implementing risk mitigation and security software is critical to identifying, deterring and reporting incidences. However, software cannot solve the problem alone. Establishing a culture of accountability and transparency – and rigorously enforcing policies – can help stop potential threats before they become crises.
A few security pros used the term “socializing” when indicating how awareness training needed to be implemented.
Kennet Westby, president and co-founder at Coalfire Systems, said the greatest deterrent is identifying the risk and building a program to tackle it. “Greater value than any specific policy, control or technology is getting the company’s focus and cultural commitment to address the insider threat. By raising awareness, understanding the impact of the risk, and building a team internally to take on the challenge, you can instantly shift a company culture to a team intent on protecting themselves.”
Socializing the concept that all personnel are responsible for deterring and detecting insider threats is key, said Alvaro Hoyos, chief information security officer at OneLogin. “This is similar to what a successful security awareness program strives to do. Investing in technical solutions is important as well, but no technical solution can replace an attentive end user.”
Eric Stevens, director of consulting services for Forcepoint, said from a deterrence perspective having a well-defined and socialized plan in place is a great start. Educating users that you are running an Insider Threat Program, what the intention of the program is, what proper data handling looks like and ensuring that they understand their part in protecting the enterprise can help to curb careless behavior and put the intentional wrong doer on notice. Technology controls, such as user and or endpoint behavior analytics, can then provide the necessary monitoring of the program and alert IT security to anomalous behavior while collecting the necessary forensic evidence.
Sign up for CIO Asia eNewsletters.