Last month, the Department of Homeland Security’s (DHS), Cybersecurity and Infrastructure Security Agency (CISA), issued a comprehensive Insider Threat Mitigation Guide to help organizations establish or enhance insider threat prevention and mitigation programs needed to secure assets, systems and networks that are essential to critical infrastructure operators. The Guide is the most recent resource available for the private sector and serves as a compilation of other guides, best practices and frameworks CISA has provided to the private sector to help mitigate the risks of insider threats. Importantly, the Guide recognizes the depth and complexity of the problem, by creating a scalable framework of best practices that can be adjusted and scoped to meet sector- or organization-specific needs.
According to the National Insider Threat Task Force (NITTF), insider threats regularly account for major losses and disruptions to organizations and can range from intellectual property theft and loss, to workplace violence resulting in death, injury or physical property damage, to the loss and compromise of sensitive and protected data. The multifaceted nature of risks presented by insider threats have long been recognized as vectors that could present unique issues and complexities for organizations in designing and implementing mitigation measures. As an example, in the most recent version of NIST’s Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, insider threat controls are included as part of the awareness and training family of controls, along with the incident response and program management control families. This diverse methodology for addressing insider threat risks tracks directly with CISA’s Guide, which calls for insider threat mitigation programs to span the “entire organization,” requiring the coordination of security, IT, and risk management personnel, but also human resources, legal and executive management.
For the private sector, defining what constitutes an insider threat is an important first step in developing a better understanding of the scope of the risk. CISA asserts that an insider threat comes from any individual with access to or knowledge of an organizations systems, processes, personnel or facilities, and who uses that access or knowledge to disrupt the “integrity, confidentiality, and availability of the organization, its data, personnel, facilities and associated resources.” Further, such disruptions have a tendency to manifest themselves in five categories of threats: cyber, sabotage, espionage, violence, and/or theft. Both the definition and threat categorization rubric are essential for organizations to understand because these baseline concepts allow them to assess both the likelihood and impact these specific threat vectors could have on their operations.
From there, CISA puts forward a basic, principles-driven, insider threat mitigation framework that can be adjusted and scoped to the needs and maturity of the organization. The basic principles that should underly the insider threat mitigation programs are: a supportive climate of accountability and mutual respect to encourage reporting; promoting organizational values like privacy, civil liberties; and remaining adaptive to organizational changes and realignments. The basic framework for implementing and operating a successful program includes:
Planning, which includes identifying, tracking, and monitoring critical assets to establish guiding principles and policies that align organizational values with the purpose and goals of the insider threat program.
Organizing and equipping the program with the technology, information, personnel, reporting paths and investigators needed to assure success.
Training and executing the program through all levels of the organization and focus on messaging that emphasizes prevention and shared awareness of the threat and responsibility to report, as well as the policies, procedures, and agreements that have been put in place to ensure both personal and organizational accountability.
Evaluating and improving the program through regular exercises and reviews that are designed to update and align the mitigation program with changes to the organizations missions, visions or values.
CISA’s Insider Threat Mitigation Guide is a functional tool that the private sector can utilize to implement and operate an effective mitigation program. While scoped and intended for critical infrastructure owners and operators, the flexibility and adaptability built into the framework presented in the Guide, will allow for broader adoption across a wide range of companies looking to implement and address insider threats. Additionally, for companies looking to do business with the federal government, this Guide provides a readily accessible framework that could help bolster your insider threat mitigation program with state-of-the-practice techniques that are shared across federal agencies.