How to Implement an Insider Threat Management Program

Organizations have long been implementing processes to safeguard against outside and inside cybersecurity risks. While many companies focus on dividing the riskinto intentional and unintentional, one area of risk that seems to fall outside of this formula is orphaned accounts – the result of bad business process enforcement  

While most organizations have good rigor around deprovisioning employees as soon as their relationship with the company ends, many lack timely deprovisioning for third-party non-employee accounts. Because financial, healthcare, manufacturing, insurance, and retail organizations have been leaders in utilizing third-party non-employees, these industries have a disproportionate amount of risk relative to other industries since they utilize more thirdparty (non-employees) who have been granted insider access.  In fact, the Verizon Insider Threat report names third parties as one of the top 5 insider threats. 

Cybersecurity Live - Boston

Analysis on past insider incidents have shown that full-time and contracted employees who have had these attributes posed a high risk and are also are most prone to orphaned accounts. 

  • Contractors and outsourced call or service center employees 
  • Vendor employees or third parties of vendors 
  • Employees or third parties with privileged access 
  • Former employees given access for any reason 
  • Employees who have resigned or about to resign 
  • Technically sophisticated users 
  • Employees who have received poor performance review 

So, how do you protect your organization? There are practical methods to mitigate the risk posed by high-risk threats such as establishing an Insider Threat Management Program.  Start with what matters mostThe program should identity critical assets and which employees and non-employees have access to them, and which non-employees really need to have access and for how long. This list can be matched to threat attributes to determine which employees and non-employees are, or may become, high-risk.  The effectiveness of current security policies and risk appetite can be used to further refine the scope of the program   


Key Components to an Insider Threat Program 

  • A team can be created which can determine the structure and processes which will require input and collaboration from HR, IT, Identity, and Risk managers.  HR and CISO’s are typically the team leaders.  
  • Risk rate identities to provide transparency into the risk of providing access. 
  • Clarity on the program scope and objectives. 
  • Estimations of the program’s baseline costs, and the time commitment of each participant. 
  • A prioritized list of the key insider threats to your organization. 
  • A list of critical assets to our organization and who has access tom them (and why). 
  • A determination of the resources required to build and implement an insider threat management program.  
  • To ensure buy-in from all the stakeholders there needs to be an Essential Program Value Proposition such as how the business will benefit from the program.  It can include the impact (financial or reputation) to the company if there is a breach, compliance risks, and how the program aligns with business objectives, risk programs, and regulations. Past examples of insider breaches at similar industries can also be showcased. 
  • A program must be able to be owned and managed without increasing overhead.  
  • Any easytouse and implement system which can integrate with HR or IAM systems. 
  • To succeed a program must be shown to align with organizational goals and be an enabler those goals and not a gatekeeper or another cumbersome step. 


An Insider Threat Management Program is a long-term effort, so the best practice is to start with a short list of the most critical assets, and who has access to them, who needs access, and increase that scope over time.  Choose a small portion of non-employees (third parties) – prioritizing those with privileged access and employee subsets to conduct a pilot of the program and use those findings to expand the program enterprise-wide.   The scope of the program can include: the importance of information security, the gaps in current security policies, an organizations tolerance for risk, ensuring that “least privilege” guidelines are followed throughout identity lifecyclesand how this information is tracked/audited. 

The program’s success over time can be measured by: the reduction in over-provisioning and orphaned accounts, auditability and reportingthe operational efficiency of managing the program, and the general ease of use for participants in the program.   Programs will need purpose-built technology solutions since customizations to exiting systems and manual processes have proven ineffective and a native build approach is often costly and doesn’t evolve with a company’s needs.  SecZetta can enable Insider Threat Programs by automating key identity processes for the onboarding, offboarding, and lifecycle management of non-employees while at the same time providing the capability to assign risk ratings to third party identities for both human and non-human identities.  While 75% of breaches happen due to insider behavior.significant risk mitigation can be accomplished by adopting an Insider Threat Management program that can be delivered in digestible phases to meet the needs of any organization. 

*** This is a Security Bloggers Network syndicated blog from Industry Blog | SecZetta authored by Keith Durand. Read the original post at: