"A crescendo of discussions is happening in boardrooms everywhere about the impact an insider could have on corporate assets," says Tom Mahlik, deputy chief security officer The MITRE Corporation.
Don't try to create an insider threat program during an attack or suspected attack. "That is the worst time to build any program with efficacy," Mahlik says. "You can't build relationships in a time of crisis."
Instead, companies should tackle planning, design and baselining as a necessary and continuous business process. "Institutionalizing a playbook and conducting [drills] before the crisis is the ideal," Mahlik explains.
In most cases, the first place to look for gaps in security is the flow of data in and out of the company. "People can move lots of data around very quickly today," says Dan Velez, senior program manager for Raytheon Cyber Products' SureView insider threat detection and prevention product line. "While that's good for business, it's bad for risk," he notes.
Traditionally, organizations have been good about protecting the perimeter but not what's inside it. "It's time to pull the covers back and examine more closely what's happening on our networks," he says.
Focus on data flow, Velez advises, because newer technologies such as cloud computing and mobile computing are being introduced to the organization on a daily basis, potentially altering the pool of privileged users. In addition, some companies continue to outsource pieces of the business, giving access rights to humans and machines beyond the company's immediate control.
Defining the threat
"When we talk about the 'insider threat,' we are talking about someone or something with authorized access [who] could use that access to do harm," Velez says. Mahlik agrees, adding insiders could be employees, business leaders or supervisors, contractors, subcontractors or supply chain partners.
Before you can renovate your insider threat program, you have to form a multi-function team that understands the information needs of employees, contractors and service providers. The insider threat program needs to balance the protection of the company with the rights and needs of employees.
A multidisciplinary approach is essential. "The goal is preventing or intervening before the crisis, and this requires a programmatic approach, one that is not exclusive to the security department," Mahlik says.
Already, Mahlik's team is partnering with human resources, legal and business groups along with IT for MITRE's insider threat program. Team members consider the life cycle of an employee, from job candidate to exit, and brainstorm areas of risk to detect and mitigate threats.
IT has to make every effort not to institute policies or procedures that impede productivity and innovation. "The last thing you want to do is deploy a system that degrades overall performance," Mahlik says.
Sign up for Computerworld eNewsletters.