Cybersecurity Awareness Month (CSAM) is a useful reminder to all of us to reinvigorate our efforts to protect our networks from Insider Threats. Insiders are difficult to detect because they abuse their legitimate system access to purloin or sabotage information.

Evaluate your own Insider Threat Program like you would any technical or non-technical internal risk mitigation effort. It’s vital to centralize decisions and coordinate information sharing. But this is only part of the picture.

U.S. executive agencies are subject to the National Insider Threat Policy (NITP) which grew out of E.O. 13587. Even if you are not under its mandate, the NITP is a useful overview of how a program’s gears should turn.

The NITP calls for a centralized function known as the Hub. Here is where all relevant data should flow, so that it can be analyzed and decisions made.  So far so good.

But the Hub is not enough.  If you focus exclusively on the nuts and bolts of your insider program you are still missing a key component of insider threat prevention.

In fact, the NITP also calls for tailored risk management principles to be applied. So how do you achieve this in practice?

We’d argue that a tailored risk strategy starts with your employees -- and not just when they have put fingers on keyboards to misappropriate protected information. How attuned are they to the needs of your organization? If their personal interests don’t coincide with your business goals, then you could be in for some nasty surprises.

In an ideal world, all would be harmonious within your organization, and you’d have perfect insight into the effectiveness of your defensive cybersecurity programs. But organizations are filled with unpredictable human beings.

Most people don’t start out their employment intending to be insider threats.  Something changes for the worse along the way. You need a safety net in place to prevent insider cyber threats, not just detect them. Essential elements to consider are:

 
• Employee assistance to avert personal crises before they become catastrophic
 
• Metrics on organizational health -- such as employee satisfaction
 
• A supportive management culture that “walks the walk” on security

Culture is admittedly a fuzzy term. But ask yourself: is the overall security culture one that supports the protection of information and personnel? Are your organizational security policies and procedures empty slogans, or are they truly practiced by everyone, from the top down? Do employees know how to report suspicious activity without retribution?

If not, then you have to make a change. It will not be easy. It will take time. And you will need sustained and active executive-level support at the top of the organization, not just within your IT or Security functions.