MindPoint Group: Insider Threat

Proactive, Reactive, and Predictive Insider Threat Prevention

What is an Insider Threat?

When thinking about cyber or information security, we typically focus on external threats and overlook the reality of insider threats. Insider threats are a real security risk that originates from within your own organization. The risk typically stems from a current or former staff member who has access to sensitive/confidential company information and mishandles this access.

An insider threat is not always maliciously motivated. In many cases, the insider threat is a careless insider who unknowingly exposes the organization and its systems to external bad actors. An employee may unintentionally create a risk by simply clicking on an insecure link.

Proactive, Reactive, and Predictive Solutions to Insider Threats

There are various indicators of insider threat from malicious insiders or moles. These actors may be accessing network resources at unusual times, transferring unusual amounts of data in and out of the network, and accessing areas of the network that users do not typically access.

For these indicators, UDT outlined 15 best practices that can be deployed to help defend against insider threats. Depending on the security posture, an organization may either take a reactive, proactive, or predictive approach to dealing with insider threats.

Reactive organizations generally have no formal Insider Threat Program(ITP) in place but are aware that the threats do exist. Even these organizations can implement a few simple options to limit insider threat exposure.

  • Prevent data exfiltration with correct user access settings: It is crucial that when placing appropriate controls on data, closely monitoring who has access to what and when, and preventing the free movement of unauthorized users can prevent this internal threat actor from succeeding in their malicious aims even if they manage to penetrate the security protocols. Analyzing behaviors related to the exfiltration of data such as shifting files to an off-site file-sharing site, or sending attachments to personal email, it is possible to identify an insider threat and mitigate the attack.
  • Remote-lock desktops: When you can’t depend on your employees to be as responsible as they ought to be for all their configurations, using a service that enables remote lockdown of desktops across the entire organization will come in handy. These services also have the added feature of enabling the locking down of certain parts of an employee’s computer apps to further prevent threats.

Proactive organizations focus on the use of tools and technologies to assist in identifying insider threats and policies, procedures, and training to limit exposure.

  • Establishing a security policy: The starting point of any proactive plan of action to prevent security threats is to lay out a comprehensive data security policy. Incorporating security policy procedures to detect and prevent misuse. It is ideal for this security policy to outline how to conduct insider misuse investigations. Finally, it should also state what the potential consequences of these infractions are.
  • Exercise diligence in vetting new hires: Background checks tend to be consciously overlooked due to the perceived cost, but when compared to the potential hassle and theft in the future, they are well worth the money. This enables you to gain more information about the person to whom you are entrusting sensitive company information.
  • Dedicated, secure physical locations: Creating a dedicated physical location that is meant for securing data is one of the best ways to prevent insider theft. Safe places to lock up sensitive information and isolating high-value systems that will require verified access, 2-factor authentication, or even biometric scanning are effective ways to reduce insider threats, especially from personnel seeking access to high-level data through using other employees’ key cards.
  • Implement a strong password security policy: The password security policy of your business is a set of rules designed to improve data security by encouraging staff to use strong passwords and providing guidelines on how to use them properly. This password policy is an integral part of what should be the ongoing security awareness training program of your organization.
  • Employ Multi-Factor Authentication (MFA): Supplementing a password security policy is the implementation of a strong, multi-factor authentication measure to safeguard sensitive applications within your company. The use of weak passwords amongst employees makes it easy for users with malicious intent to access.
  • Fortify perimeter defense tools and strategies: Perimeter tools and strategies for servers on the public internet should be used and implemented on your organization’s internal server as well. It is also important to patch regularly or update web and email servers and to get rid of any unused services and to use lockdown configurations to strengthen your security protocol.

Predictive organizations, similar to proactive organizations, have a formalized ITP in place to identify potential or active threats as early as possible. Insider Threat Policies and Procedures are disseminated across the organization and are continuously updated to address shifting risk and changes in business operations.

  • Monitor misuse: 24/7 real-time monitoring of user behavior to predict and detect abnormal user behaviors associated with potential theft, sabotage, or data misuse is one of most effective way to counter insider threats. Organizations can use User and Entity Behavior Analytics (UEBA) to establish user and entity behavior baselines from historical access and activity. These behavioral baselines are the benchmark against which real-time activities are assessed as either normal or abnormal. UEBA uses big data analytics to provide insight into what’s happening with users in the organizations in real-time. Insider threats are identified when user behavior deviates from what is considered normal, prompting corrective action. Other behavior monitoring tools include security cameras for physical surveillance and keystroke logging.
  • Detect and stop privileged access abuse: One of the most damaging internal threat agents is the privileged user. Privileged users can be admins who can give themselves access to restricted data or employ other forms of social engineering to impersonate other users, engineers who naturally have high-security clearance to the most valuable intellectual property or executives who can move freely with unfettered access anywhere. It is crucial to use tools for monitoring and controlling such sensitive information.
  • Make data security training an ongoing program: Conducting annual security awareness training for staff will have a positive impact in preventing avoidable security breaches by hapless users who become victims of increasingly sophisticated phishing scams, misused public Wi-Fi hotspots, or the inadvertent loss or sharing of files. Training personnel also empowers them with the knowledge to recognize social engineering tactics to extract crucial information that could lead to a security breach.
  • Prevent backdoor infiltration: Some data breaches happen due to an attacker leveraging ‘backdoor’ access into the system of the target organization via infiltrating a third-party vendor. It is important to include have established Third-Party Party Risk Management policies and procedures in place for your organization. Before entering into agreements with 3rd Party vendors, it is crucial to understand the Risk that this brings to your organization. At a minimum, the following should be considered of third-parties: What of our data will we be sharing with the vendor? How will the vendor store this data? What is the vendor’s security posture?
  • Periodically review accounts: It is certainly a best practice to perform routine account reviews, and to purge any idle accounts in your directory. As a part of these reviews, user access should be reviewed to confirm it is still correct. For privileged users who have admin access or access to confidential data, reviews should be conducted more often. Getting rid of user-profiles who are no longer with the company should be included as a part of these reviews.    

Assessor’s Perspective

While protecting against insider threats may seem like a daunting task, there are many open standards that will help with this. The National Institute of Standards and Technology has published NIST 800-53 which documents recommends security controls for federal information systems and organizations. For all the insider threat prevention methods listed above, compliance with NIST 800-53 will ensure that you meet this checklist.

Of course, once your organization has set in place security controls to be complaint with NIST 800-53, it is equally important to test these controls to make certain your organization and data is protected. Having a certified third-party assessor/auditor like MindPoint Group come in to test your security controls will give help you understand security vulnerabilities within your organization that need to be addressed to give you peace of mind against insider threats.


Awareness that Insider Threats are a true risk to your organization is a critical part of your security policy. The risk of your own employees potentially knowingly or unknowingly leaking confidential data or becoming the medium for a data breach can be troubling, but with the prevention methods and techniques discussed, you can drastically lower the risk. Ensuring your organization is compliant with security standards, such as NIST 800-53, will safeguard against this risk and aid in preventing immeasurable amounts in damages.

More from Our Cybersecurity Experts