5 Insider Threat Lessons

At the recent RSA Conference 2013 in San Francisco, presenters with the Federal Bureau of Investigation (FBI) highlighted lessons learned from the FBI’s Insider Threat Program. According to an article by www.darkreading.com, these lessons include:

1. Insider threats do not equate to hacking.

Most often, insider threats deal with individuals who already have authorized access to a system. More often than not, insiders use their authorized access for more malicious purposes. Another problem arises from so-called incidental inside threats, or those in which the insider accidentally causes problems. The biggest way to alleviate this kind of problem involves finding ways to automatically discount these problem users and focus on the real threats.

2. Insider threats are also people-centric and not only technical-centric problems.

While a hacking attempt from the outside involves the security strength of a network, when dealing with threats from within, cybersecurity can do little to stop those with malicious intent. Companies are best served by looking at a threat from the inside as being focused around people-centric problems as opposed to looking for a solution on the technical side. Those who become disgruntled to the point of retaliation do so for personal reasons and thus the problem bears examination coming from a psychological approach.

3. Deterrence, not detection, is key.

Threat detection, especially from the inside is time consuming and costly. Rather than try to detect every insider threat possible, you should instead create an environment that proves very uncomfortable to insiders with an agenda. It is also important to let employees know that such policies are in place.

4. Any attempt to detect insider threats should be based on their behavior.

Attempting to detect behaviors which could signal someone as an inside threat proves a lot easier than using basic detection as a tool. Knowing which behaviors signal malicious intent and practices allows officials to more easily head it off before too much damage is done. This has the further benefit of applying to multiple insider threats.

5. The processes for correct detection are a work in progress.

While advances have been made in detecting viable threats from a company insider, the science of it still has a long way to go. As of now, most of the data gathered has focused on data provided from looking at the bad guys. One thing that was learned is that the more innate psychological risk factors usually come into play when dealing with insider threats. Factors such as divorce, the inability to work in a team environment, or exhibiting behaviors associated with retaliation were often high on the list of indicators of potential trouble.


For more information about lessons learned from the FBI’s Insider Threat Program, visit: http://www.darkreading.com/insider-threat/167801100/security/news/240149745/5-lessons-from-the-fbi-insider-threat-program.html