Also, you must have a separate process for identifying and reporting questionable behavior that is outlined along with other policies in a user handbook -- thus ensuring disclosure and consent. For instance, if an employee observes another employee doing something wrong, then he or she should be able to contact the insider threat management team via phone, email or online form or in person. And then that complaint should be worked through a well-defined process to exonerate the employee, escalate monitoring or invoke termination while protecting the privacy of both the accuser and the accused. You also want to hide the existence of the incident.
Having a proactive insider threat detection program and safe reporting structure can mitigate situations such as a hostile employee, significant data loss or even liability from false accusations.
All complaint resolution processes that require monitoring, logging or other technological activities should be carried out on a segregated network, Knutsen advises. Investigators should be audited on this segregated network to ensure they abide by corporate guidelines.
"False positives can cripple an insider threat detection program when companies don't do enough planning regarding the rumble strips and the procedures for follow-up," Knutsen says. "A well-defined process is critical to protect the privacy and reputation of individuals involved and intellectual property."
If you protect everything, you protect nothing
As Mahlik digs deeper into revamping MITRE's insider threat program, he is well aware that it is impossible to protect everything. He is prioritizing threats by helping the internal threat team pinpoint areas where problems would most likely brew.
He's optimistic that with proper planning and closely coordinated policy, human and technological systems, MITRE will have its insider threat framework in place by year-end. "The magnitude of the issue is clear, and the employee population is sensitive to the need for these programs," he says.
Along these lines, Mahlik says, it's key to understand who and what cyber thieves might be targeting within the company, "which almost always includes those in the company who have privileged access to information of value." As he says, "we all understand a threat to one is a threat to all."
This article, Revamping your insider threat program, was originally published at Computerworld.com.
Sandra Gittlen is a freelance technology writer in the Boston area. Contact her at sgittlen@verizon.net.
Read more about security in Computerworld's Security Topic Center.
This story, "Revamping your insider threat program" was originally published by Computerworld.