Larry Knutsen, president of the Laconia Group consultancy and a retired senior intelligence officer, likens the steps in a proactive insider threat detection program escalation process to rumble strips that alert drivers when they are straying from the road.
For instance, if someone starts to visit a hacker site on his work computer — and is ultimately blocked from doing so — but the insider threat detection program receives an alert from its endpoint monitoring system, is this grounds for immediate dismissal? Most likely not, says Knutsen. Instead, a representative of the insider threat team could approach the individual and explain why the behavior is unacceptable. The team could then keep an eye out for continued anomalous behavior. (Knutsen says the views he expresses are his own.)
Knutsen also believes that most employees are not out to do harm and can be deterred with education, training and well-thought-out policies. "The rumble strips/secret sauce should not be disclosed, as the goal of insider threat detection programs should be to save valued employees and quickly remove nefarious ones," Knutsen says. "This is paramount as companies expend valuable resources identifying candidates, then hire them, integrate them into the workforce, train them and promote them," he says.
"A well-defined process is critical to protect the privacy and reputation of individuals involved and intellectual property." says Larry Knutsen, president of the Laconia Group consultancy.
Also, you must have a separate process for identifying and reporting questionable behavior that is outlined along with other policies in a user handbook — thus ensuring disclosure and consent. For instance, if an employee observes another employee doing something wrong, then he or she should be able to contact the insider threat management team via phone, email or online form or in person. And then that complaint should be worked through a well-defined process to exonerate the employee, escalate monitoring or invoke termination while protecting the privacy of both the accuser and the accused. You also want to hide the existence of the incident.
Having a proactive insider threat detection program and safe reporting structure can mitigate situations such as a hostile employee, significant data loss or even liability from false accusations.
All complaint resolution processes that require monitoring, logging or other technological activities should be carried out on a segregated network, Knutsen advises. Investigators should be audited on this segregated network to ensure they abide by corporate guidelines.
"False positives can cripple an insider threat detection program when companies don't do enough planning regarding the rumble strips and the procedures for follow-up," Knutsen says. "A well-defined process is critical to protect the privacy and reputation of individuals involved and intellectual property."
Sign up for Computerworld eNewsletters.