Home » General » “What Could Possibly Go Wrong?” A Look at Insider Threats and How Not to End Up in The News

“What Could Possibly Go Wrong?” A Look at Insider Threats and How Not to End Up in The News

Insider threats are a serious issue for any organization. Whether it is a former employee, a business partner, or simply someone who mishandles data, an insider threat can ruin your reputation and cripple your business.

But how do you prevent an insider threat?

They key is to identify potential issues that may arise during the hiring process. If your software developer has egregious financial debt and a gambling problem coupled with a felony conviction for robbery –this may not be the guy you want handling your R&D.

So it is important to establish hiring practices that identify safe personnel and then enforce those practices consistently.

From there on, the key is to protect yourself from the inside out. Know your assets and know how to protect them. These assets may be physical, such as computer equipment or company vehicles. Physical assets are more easily accounted for. But they may be intangible assets, such as source code or strategic plans. These assets can be copied and disseminated without your immediate knowledge. You’ll notice pretty quick if your some of your servers go missing. But how will you know if your R&D has been sent to a competitor or talks of a merger leaked to the press?

They key is to identify your assets and employ measures to protect them. It’s easier and far less expensive to prevent a mess than to clean one up. Following these and other best practices will help you stay a step ahead.

  • Establish an inventory control and tracking policy for hardware and physical property. Conduct regular inventory audit to ensure that critical assets haven’t gone missing. (Dude, where’s my server?)
  • Utilize best practices for access to sensitive information. The two-man-rule prevents a sole individual from having the power to defraud your enterprise. Implementing principle least privilege adds an additional layer of security and reduces risk by only granting access to essential resources to employees. Does your software engineer need admin access network-wide when a local admin account would suffice?
  • Formalize and adhere to a comprehensive process for employee termination. Ensure that you’ve terminated any accounts they have used to access the network. Retrieve any company credit cards or and accounts they may have managed on behalf of the company. Collect ID badges, key fobs, RSA tokens, and issued devices. (Excuse me, I believe you have my stapler…)
  • Establish and tailor a formalized insider threat program. Monitor employees with privileged access. Know how to respond to and mitigate an incident quickly with an incident response team.
  • Lastly, create an employee awareness program that teaches employees how to spot and report insider threats.

These are just a few of the many procedures that you should implement to protect yourself. It is by no means comprehensive guide, as each organization should tailor a plan to suit its needs. Although, this should give you some idea as to the complexity and rigor that threat awareness demands. For further reading, check out NISP Special Publication 800-30 “Guide for Conducting Risk Assessments” Section 3.2.1, NIST Special Publication 800-39 “Managing Information Security Risk,” NIST SP 800-61, Computer Security Incident Handling Guide,” and NIST Special Publication 800-53 Rev 4 “Security and Privacy Controls for Federal Information Systems and Organizations.”

Or you can call in the experts who have already read this stuff to conduct a risk assessment and help you develop a plan that will keep you off of the front page of a newspaper.

Remember, preventing a mess is easier and less expensive than cleaning one up. Just ask these guys:

Triple-S Management Corp.

Sony Entertainment

Neiman Marcus

TJ Maxx




About Jon

Jon is an experienced Technical Writer, Ethical Hacker, Privacy & Security Evangelist, and Master of the Margarita. With a equal passion for the Chicago Manual of Style and cyber security, Jon believes that creating security documentation is kind of a fun thing to do. He's also pretty good a "bricking" devices that were working just fine. When he's not buried in security documentation, screaming at his keyboard, sprinting to a Congressional hearing, or debating the Oxford comma way too seriously, he manages this blog from our super-secret Moonbase.