This article provides a few important things to keep in mind when you're laying the groundwork for an insider risk program. While this article does not tell you everything you need to know to create an insider risk program (see Resources below for a few good references), it helps get you started with your planning.
Before you implement Incydr, it is a best practice to develop an insider risk program at your company. Doing so ensures that Incydr has the support needed throughout the company to ensure its success.
Preparing to deploy Code42 Incydr to your company is a process that involves more than taking a few notes and installing some software on a test system. It means mobilizing your company to address insider risk, from the IT and security teams to each and every one of your employees. It is a culture-shift that requires everyone to buy in to the reality that not only is valuable information possibly leaving your company (intentionally or not), but also that everyone must work to address it.
We call it an "insider risk program" rather than the more standard industry term "insider threat program" because we believe that your insiders pose only potential risks until they take actions that are fully identified as threats to your organization. We feel this mindset of presuming your insiders are "innocent until proven guilty" better allows you to enlist your employees in company-wide efforts to reduce data loss.
The Code42 Insider Risk Success Team (IRST) may be able to help you develop an insider risk program in preparation for Incydr. Contact your Customer Success Manager (CSM) to find out more.
Set baseline expectations
The executive sponsors of an insider risk program have the critical task of setting the baseline expectations for that program. The executive sponsors are typically the CISO and other members of the executive team. They should articulate as clearly as possible the desired impact of the insider risk program on the company's risk management, and should present specific use cases and their relative criticality to the company.
To set the baseline expectations, executive sponsors should answer questions like the following and present the answers to the insider risk program owner:
- Are you on the targeted list of organizations for intellectual property theft? Are you currently monitoring for compromised systems, identities, or users, as well as insider risk?
- Does your cyber insurance policy cover an employee-originating loss? If yes, with what restrictions?
- Have you discussed among your executive peers the type of events that merit a legal or criminal interaction with respect to the loss of intellectual property or unlawful behavior?
- What are the top five most important digital assets that the company owns? Has a financial value ever been assigned to them? What sorts of actual losses or negative impacts might be realized should these assets be lost or stolen?
- Is there a list of the individuals who handle critical digital assets? Is there a list of where these assets are stored? (We recommend reaching out to your identity access managers, data owners, and anyone recently engaged in a business impact analysis for these datasets and have them fill out a critical assets questionnaire.)
Create a checklist
The owner of the insider risk program takes input from the executive sponsors and uses it to lay out the tasks needed to create the program.
Following is an example checklist of tasks to be carried out by the program owner:
- Obtain executive buy-in
Get authorization from company executives for the program. This gives the program owner the leverage needed to work across organizations, secure needed information on critical assets, and ensure that cross-departmental relationships are successfully established.
- Consult with legal counsel and human resources
Get input from the legal and HR departments about how to properly handle insider risks. This ensures the program is implemented appropriately, consequences are defined, and policies are enforceable and in line with organizational culture and privacy concerns.
- Create an insider risk working group
Develop a cross-organizational team to review incidents, create procedures, and update response policies.
- Define processes
Define the process template and process trees based on incident severity and frequency. Include who is notified, who owns components of any investigation, and steps for remediation. Process planning may include IT, security, HR, legal, and executive personnel.
- Inventory data
Create an inventory of critical data to define the focus of the program and the sanctioned exfiltration paths.
- Identify threats
View internal threats holistically as you would external threats. Include not just employees but also contractors and vendors with access to the network and business systems.
- Integrate platforms
Alert platform owners whose solutions enable elements of the program such as systems used by HR (for example, Active Directory, ADP, Workday) and your security operations center (for example, EDR, firewalls, URL filtering, security awareness, security gateway, SIEM, SOAR, user behavior analytics). As a best practice, adhere to least privileged access and use micro segmentation. (For Code42's integration solutions, see Code42 integrations resources.)
- Create communication
Tell employees about the program. Include employee communication as part of the onboarding and annual training processes. This generates awareness and sets expectations.
- Add expectations to the acceptable use policy
Define expectations for handling company data to your acceptable use policy (AUP). Ensure employees sign off on the AUP annually.
Assemble the components
The insider risk program team assembles the components of the program under the direction of the program owner. Following is a diagram of the components common to insider risk programs that you should consider incorporating into your own program.
Image source: Carnegie Mellon Software Engineering Institute's Common Sense Guide to Mitigating Insider Threats, Sixth Edition, page 20 of the PDF.
Program maturation stages
Following is a Capability Maturity Model (CMM) perspective of an insider risk program as it moves from inception to maturity.
|Nonexistent||No program or technology in place to detect and respond to insider risks exists, and is unaware of the risk posed by an insider.||
|Reactive||No program in place, but is aware that insider risks exist. IT is responsible for responding to any realized threat actions.||
|Proactive||Focus is on technologies that proactively and reactively help spot any insider risks within a core group of high-risk users.||
Automate monitoring of employees who are:
|Predictive||A formal program is in place that seeks to identify potential or active threats as early on as possible. Program definitions, policies, processes, and monitoring are in place.||
|Optimized||The insider risk program is dynamic and responsive, continually addressing shifting risk and changes in business operations that impact needed policy, process, and technology.||Implement User and Entity Behavior Analytics (UEBA)|
- Carnegie Mellon University Software Engineering Institute
- Cyber Security Summit
Other articles in this series: