Insider Threat Best Practices

Insider threats are influenced by technical, behavioral, and organizational issues and must be addressed by policies, procedures, and technologies, so best practices to mitigate insider threats involve your staff. Decision makers across your organization must understand the overall scope of the insider threat problem and communicate it to everyone. The graphic below illustrates opportunities to prevent, detect, and respond to an insider incident.

CERT Insider Threat Center: Opportunities to prevent, detect, and respond to an insider incident

To help guide you through this process, we created best practices that mitigate IT theft, IT sabotage, and fraud. For example, your organization should implement strict password and account management policies and practices, enforce separation of duties and least privilege, define explicit security agreements for any cloud services, and institutionalize system change controls.

We created the following best practices for mitigating IP theft, IT sabotage, and fraud:

  1. Consider threats from insiders and business partners in enterprise-wide risk assessments.
  2. Clearly document and consistently enforce policies and controls.
  3. Incorporate insider threat awareness into periodic security training for all employees.
  4. Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.
  5. Anticipate and manage negative issues in the work environment.
  6. Know your assets.
  7. Implement strict password and account management policies and practices.
  8. Enforce separation of duties and least privilege.
  9. Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
  10. Institute stringent access controls and monitoring policies on privileged users.
  11. Institutionalize system change controls.
  12. Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
  13. Monitor and control remote access from all end points, including mobile devices.
  14. Develop a comprehensive employee termination procedure.
  15. Implement secure backup and recovery processes.
  16. Develop a formalized insider threat program.
  17. Establish a baseline of normal network device behavior.
  18. Be especially vigilant regarding social media.
  19. Close the doors to unauthorized data exfiltration.

Learn more about these best practices in the CERT Common Sense Guide to Mitigating Insider Threats, 4th Edition.

Read the complete report, the Common Sense Guide to Mitigating Insider Threats, 4th Edition, for more information about all of these best practices.