Don’t Try to Eat the Elephant All in One Bite: Creating a Zero-Budget Insider Threat Program

It’s 2023, what’s the phrase that’s most likely to make a corporate security leader twitch? Two words: insider threat. This term carries a tremendous charge, and with good reason. In the era of hybrid, distributed employment, an array of new risks surrounds employees and contractors who have access to your company’s intellectual property (IP), facilities and equipment. We’re talking about everything from physical threats to active shooters to stealing data and planting ransomware. And it's not always outright theft—insider threats can include concerns like employees downloading project files for use at their next job. The Cybersecurity & Infrastructure Security Agency says it succinctly: “Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization.”

These risks pose all kinds of complex challenges for those in charge of security. In response, a growing number of government agencies and private sector companies have developed something new in security: the insider threat program (ITP). Some of these companies were part of an event we recently held in our Boston studio. Thirty-five security leaders from leading international corporations met to discuss ITPs and ways to bolster organizational resilience. This was an important moment in the evolution of the ITP; this group had been talking online about it for several months and found it was time for the community to meet in person, share and learn.

The Zero-Budget ITP

One of the key conclusions from the event: While the security world thoroughly understands the danger of insider threats and the need to take early action, corporate executives aren’t there yet—and they’re not quite ready to make any big ITP investments.

Some security colleagues believe that they need a budget of millions of dollars to get an insider threat program airborne.

This is not the case.

To remedy the situation, we introduced the notion of a zero-budget insider threat program at our event. Here we share it with you. Such an initiative is about intelligently leveraging your existing systems and processes across a company. It’s the smart organization that brings together their internal audit and compliance systems, their cyber tools and physical security apparatus. An effective ITP is about knocking down the silos between various internal corporate functions so that vulnerabilities don’t develop. Break the silos, and you’ll be able to focus on the behaviors of employees that might signal that you have a problem that requires a deeper dive.

Taking the First Two Steps

My advice to people who are getting into insider threats: Don’t try to eat the elephant all in one bite.

The first step: Identify your biggest insider risk. Convene the necessary players and get them to have an honest conversation about where your vulnerabilities lie. Once you’ve done this, you can begin to create a strategic framework to address them. If you can effectively mitigate even one risk, you lay the groundwork for eventually expanding the program into a more holistic approach to insider threats.

At our event, we discussed a case study involving employment fraud: multiple incidents where individuals who had been hired weren’t who they claimed to be. (Because so much of hiring has shifted online—interviews and background checks and such—there are new sorts of vulnerabilities created that simply weren’t there before.) After passing through the hiring and onboarding processes these individuals were put on projects and had access to customer data but never did any work or showed up for a single meeting. These fraudulent employees, who represent the classic insider threat, can potentially bring a business down if their intention is to do so.

Once you’ve located your largest insider risk, work with your colleagues to document the real-life instances where you may have been vulnerable. Gathering this data will be valuable because the details will make the risk and the solution more apparent. Then you can move on to root-cause analysis. As you come to understand the risk in a deeper way, you can prepare to combat it.

Step two involves looking at your current processes—such as those around ethics and compliance, supply chain, HR/people, frontline management, just to name a few—and identifying the vulnerabilities and gaps. See where you can enhance or redefine your controls. Rather than trying to create a batch of new controls to address insider threats, make sure to update the ones you already have… and not just once, but periodically. It’s essential to understand that risk always matures over time. If your ITP is to be effective, it needs to be in a continual state of iteration. Make certain, at the beginning of the project, that your leadership comprehends this.

Behavior Change First, Tech Investment Second. 

One of the reasons that a zero-budget ITP is viable is that insider threats are not a technical but a behavioral issue. We’re talking about employee behavior and that can’t simply be managed by a tool. You’re not going to solve the problem with technology. Yes, tech is part of the solution, but an effective ITP first considers the behavior and how to alter it.

You need to be clear about educating employees on what behavior is not allowed. Let them know, for instance: If you use a company computer, you’ll be subject to monitoring, and You can’t take IP when you leave. Have them sign an NDA when offboarding. Such clarity will help amend behavior throughout the employee lifecycle and discourage insider threats.

In short, try to alter any dangerous behavior and, when you can’t alter it, look for those red flags that create a risk for you and your customers. Once you’ve proven that your ITP can work, the executives will be ready to expand and, yes, invest.

Want to talk about insider threats? Happy to do so. You can find me here.