How to Successfully Combat an Insider Threat

Combating an insider threat can often present a more complicated problem than malicious online attacks. Insider threats are typically your own employees, the people you are required to trust to complete daily tasks. What happens when one of those trusted employees goes rogue?

It can be difficult to detect an insider threat, and many businesses don’t recognize the threat until a breach has already occurred. However, fifty percent of all malicious attacks are from an inside attacker, and they could cost your company up to $2 million dollars in time and assets.

Your employees are capable of completing a malicious attack on your company either by opening up your firewall to allow access or by physically stealing data. It is vital to set up precautions in network security and the physical security of your business.

Combat an Insider Threat

This article will cover the four main ways that your company can successfully combat an insider threat.

Establish Security Protocol

The first thing that your company should do is establish a comprehensive security protocol. A security protocol will identify and secure all the vulnerabilities that your company has, establish protocols for minimizing both internal (physical) and malicious (network) attacks, and develop protocols for mitigating attacks if they do occur.

When establishing a protocol, your IT and risk assessment department will want to identify the main areas for vulnerabilities, authorization and access points, backup and recovery, rules for encryption and security, and protocols specific to your computer monitoring software.

In general, your security protocol will be a road map for preventing, targeting, mitigating, and recovering in relation to insider threats. This also includes properly negotiating security agreements with both employees and with any third-party services. With these agreements, you can set up parameters for access restrictions, monitoring capabilities and the process for service termination.

Preventative Measures

Preventative security measures mean not only setting up the processes for information security but also accounting for lapses in human judgment, insider theft, and odd ways in which data can be hijacked. Insider theft regularly occurs during times of transition. Therefore if an employee is leaving or if data is being recycled, then it could be more susceptible to theft.

Before discarding any hard drives, make sure to erase all the data to ensure that it is no longer recoverable. Old hard drives should be physically destroyed. On top of that, all data should be effectively archived and backed-up with recovery processes. File or mailbox archiving should be properly configured with established security protocols and a system backup should be done at least once a month.

With all security measures, be aware that a trusted business partner could be a part of the problem. Enable role-based access controls for accessing information and services. You can also require two users to authorize the copying of data to removable media, the deletion of data, and critical changes in system configuration.

Your team should also be prepared to handle disaster recovery. This includes a procedure to recover data and practicing a test disaster plan to ensure that the system can be fully functional and online within a reasonable amount of time. 

Software and Surveillance


Insider threat detection involves establishing computer monitoring software as well as a  physical security system.

Computer monitoring software should be established immediately so that your company can monitor, filter and protect web traffic and navigation, privileges and access points, encryption software, access to sensitive files, and password management. Monitoring software will be poised to mitigate potential threats with endpoint and intrusion detection as well as establish hierarchies for data loss prevention.

Employee monitoring software can utilize session screen-capture technology. This software can monitor and log employee actions, and it uses user behavior analytics (UBA) to establish baseline network behavior.

Since monitoring software is another network gatekeeper, whitelist only the host and ports your employees should be accessing. Wireless intrusion detection can also be enabled for data and cellular networks. This will allow your team to identify if mobile and/or remote access is still required and who requires such access.

Your network firewall should also be properly configured. Critical systems should not be directly in contact with the internet and users should be partitioned along with the network into VLANs so that only certain users can access parts of the network. 

With all physical security parameters, ensure that your facilities are being surveilled with video cameras and motion sensors. A professional security team could be vetted and hired to protect the facility. They would prevent suspicious personnel from entering the facility, monitor the network and physical data hubs at night, and prevent people from accessing critical IT areas. 

Regular Risk Assessments

A risk assessment will involve a regular and frequent assessment of your IT network security, your personnel, and your general security policies. Your HR and IT departments should prepare documents that clearly establish:

  • Generalized data protection regulations
  • Standardized incident response
  • Third-party policy
  • Account management
  • User monitoring
  • Comprehensive employee termination procedure, and 
  • Password management.

These guidelines will allow your team to more readily identify potential vulnerabilities and risky behaviors.

Regular enterprise-risk assessments will be able to reference the policies to reassess these risks year-over-year and update with improved protocol, software, and procedures. Using a log correlation engine or security information and event management (SIEM) system can also allow your team to investigate the historical incidents and perform IT audits to assess privileges.

And lastly, a proactive risk assessment will involve training employees to account for insider threat security. By looping in your employees, they become aware of how seriously you take threat detection and prevention. Employees can also work on behalf of your company to identify potentially dangerous actors or behaviors that could put your data at risk.

Are You Protected?

It can be difficult to protect your company against insider threats. By establishing a comprehensive security protocol that takes into account both physical and online malicious events, your company will be better prepared to stop and mitigate insider threats. Work with both your HR and IT department to establish where your company’s biggest vulnerabilities lie and which security processes are in place to protect them. Investing in computer monitoring software like SoftActivty will support your physical security in detecting and stopping insider threats.

February 24th, 2020