Tip

Insider threat management best practices

Sivarama Krishnan, executive director and partner for performance improvement, PwC

Globally, insider threats cause more damage to organizations than external threats. Insider threats may lead to a financial loss, bad reputation and corporate espionage. On the domestic front, Indian organizations are slowly becoming aware of the potential damages that insiders can cause.

Companies have made huge technology and process investments to thwart external threats, but they have not made similar levels of investment in policy, practices and technology for managing insider threats.

Apart from lack of awareness, excessive trust is one of the main reasons behind Indian companies' lukewarm attitude towards insider threats. As Indians, we tend to assume that people within the organization are less dangerous than outsiders. This is why India has not reached a maturity level where insider threats are considered as potentially damaging as external security threats.

A three-pronged management strategy

First, your organization's information security policy must include clearly defined practices and strategies for insider threat management. The ability to manage and address insider threats may demand practices that are different from the existing practices for external security threats.

The insider threat management strategy of your organization should address three areas: people, process and technology. In terms of people, user awareness should be the most important part of your strategy. Employees should be educated about the company's

    Requires Free Membership to View

information security policy, as well as the dos and don'ts for their individual roles. Your organization's employees should also sign a non-disclosure agreement.

In terms of process, you should create an architecture that defines and controls access for users across the organization. Limit user access to information to a need-to-know basis, and conduct periodic reviews.

On the technology front, you can always look at implementation of solutions such as data loss prevention (DLP) tools. DLP tools are available in various forms. They monitor data in motion (data moving through the network) and data at rest (data in hard disks or storage devices).

Types of insider threats
Insider threats can be divided into four types:

1. A person who should not have access to particular information manages to get access by virtue of being an insider.
2. Someone who has authorized access leaks the information.
3. An insider accidentally leaks sensitive information without any malicious intent.
4. Third parties, such as an outsourcing service provider or temporary contractors, have access to the corporate network and leak or steal information.

A best practice for DLP selection is to look at an end-to-end solution. Always be wary of vendors that make claims of "out of the box" or ready-to-use DLP systems. If you believe in these claims and adopt such a product, you may be stuck with a humongous amount of false positives. So before adopting a DLP tool, you must analyze your organization's data flow so you can formulate clear principles and policies based on that analysis.

Observe human behavior

Technology alone may not help your organization battle the menace of insider threats. It is extremely critical to check the behavioral aspects of how people use technology.

It's essential to keep tabs on the timing and the necessity for access to a particular piece of information. For example, always keep clear records of when a user accesses a particular piece of information and how he accesses it.

Several technologies can help companies monitor behavior and discern trends. Certain DLP tools can also monitor the use of email and the Internet. The effective use of such tools can help you mitigate the insider attack threat.

About the author: Sivarama Krishnan is the executive director and partner for performance improvement at PricewaterhouseCoopers. (As told to Dhwani Pandya)

This was first published in September 2009

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.