The complexity doesn’t stop there. The root of this approach is – dare I say it – legacy data loss
prevention. Its ‘prevention-first’ approach and rigid policies frustrate users with barriers to productivity
which, most of the time, lead to workarounds and loopholes.
This is doing your organization and employees more harm than good. We all need something simpler
because insider threats show no signs of diminishing.
Here are 10 critical steps that make it faster, easier and more cost-effective to build your insider threat
program:
- Get leadership buy-in: This might seem like a no-brainer, but it’s critical to the development of
your security and IT team (and your future efforts) as value-adding business partners. - Engage your stakeholders: The buy -in campaign doesn’t stop with the executive team. Think
about the individuals that would lose the most if an insider threat event were to take place, and
bring them into the fold from the start. - Know what data is most valuable: You should have a pretty sound idea of what data is most
valuable after speaking with leadership and line-of-business stakeholders. You might be thinking,
“all data has value,” which is true, but these conversations will be essential to learning about the
types of unstructured data to keep a watchful eye on, and which types of high-value unstructured
data will require more creative means of tracking. - Put yourself in the shoes of an insider: Think critically about the value in taking or moving
information. What would they do with it? What tactics or workarounds might they employ to help
them get the job done?
Seem straightforward? Up until this point, you should be determining the types of data you’re protecting
and understanding the key indicators that might point to insider incidents. Keep reading – here’s where
things get simpler.
- Determine common, everyday insider triggers: Don’t get wrapped up in building a robust
program with different types of classification schemes and policies that try to monitor every
possible scenario. Instead, focus on your “foundational triggers,” or most common use cases that
make up the vast majority of insider threat incidents, such as departing employees à l a McAfee,
high-risk employees, accidental leakage and organizational changes. - Create consistent workflows: Investigating suspected data exfiltration can be complex and time
consuming, so it’s important to define the key workflows for each foundational trigger. For
example, when an employee departure is triggered, make sure you clearly define the
workflow/plan of attack for this trigger and consistently execute on the steps you’ve established. - Establish a game plan: Once a workflow is triggered and potential data exfiltration identified,
establish which key stakeholder is responsible for directly engaging with the employee/actor.
Using the employee departure example again, this would likely trigger engagement from HR and
the line-of-business manager. This clear line of communication not only separates security and
IT teams from the “data police” reputation, but also allows them to focus on data monitoring,
detection and remediation.