Data privacy laws are picking up steam – think the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) – and there is a lot of concern about what security and privacy teams can and should do to enforce policies that protect the business. From a data privacy standpoint, consumers – and employees for that matter – historically have been largely left in the dark about what personal information a business may have about them and how that information is being used, stored and shared. With GDPR and CCPA, consumers and employees now are more emboldened to ask questions and provide direction on how their data is used.
In this new world with data privacy top of mind, corporate insider threat programs are especially under the microscope – and they’re getting an (undeserved) bad rap. There is a misconception that insider threat programs impinge on personal data privacy rules. As a result, some employees have very strong reactions against insider threat programs. To that end, many security teams end up having conversations around insider threat that end with comments such as, “I don’t want to be Big Brother!” or “Having a program implies I don’t trust my fellow co-workers.”
The reality is that data drives businesses and data is leaving companies every day (read more on this topic in our 2019 Data Exposure Report). Even though data loss by employees can take different forms, it’s important to take them all seriously. Sometimes employees take data accidentally. Other times, they take it intentionally without realizing the harm their actions could cause. Still other times, employees take data maliciously. Regardless of intent, the damages of data loss are real and it’s important we consider these risks to our businesses.
Insider threat programs are necessary and very effective in protecting corporate IP. To run an insider threat program while keeping employee privacy concerns in check, consider these three important steps:
Decide what you need to monitor
What does insider threat mean to you? I like to use a simple definition that removes intent and focuses on impact: insider threat is any type of threat to an organization’s security posture from within. Focus on the systems that manage your sensitive information, the departments that are more likely to handle sensitive information, or on the workflows that increase the probability that information is leaving the company (think departing employees, mergers & acquisitions, etc.).
Build out a program around it
Once you’ve defined what matters, build out an insider threat program around it. Programs are typically built out in one of three ways (though often a combination of these):
- Logging and alerting: If you defined sensitive systems as the focus, this is often a natural way to build out your program. Make sure you are capturing all relevant logging activities (this is sometimes tricky with SaaS applications) and set up alerts for activity that may be deemed more risky.
- Special tools: You may decide there are additional tools you want to implement in order to monitor and manage your insider threat program. Depending on the technology implemented, you may get additional alerts, risk ranking, or integrated workflows to help guide your set up.
- Defined processes: As much as we’d like to think technology can solve all of our problems, sometimes the best program starts with a manual process. This could include an onboarding or offboarding checklist, a periodic audit of privileged user activity and employee training.
As with all things security, remember that there is very little “black and white.” Build your program to allow for additional context, account for the potential of human error, and incorporate other stakeholders (legal, human resources, managers, etc.) into the program to ensure you are addressing risk appropriately.
If you are looking for additional guidance on the mechanics of building or maturing an insider threat program, here are a couple of great resources to check out:
- National Insider Threat Task Force (https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-nittf)
- CERT Insider Threat Center (https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=91513)
Tell your employees
Finally, no matter how you decide to build out your program, let your employees know what you are doing. Be very clear with employees about what information your program is collecting and monitoring, and how the information is being used. I often see this in the form of a log-in banner, an employee privacy statement or policy, or as part of security awareness training. Also, have a feedback process for people to reach out to you for more information.
My best advice when deciding what information to share is to put yourself in the shoes of an employee. What would you want to know, and would you find the data monitoring to be reasonable? At the end of the day, while you may be the owner of your organization’s insider threat program, you are also likely the subject of someone else’s.