What are the proper procedures for handling a potential insider threat?

In this SearchSecuity.com Q&A, Mike Rothman discusses how corporations can avoid insider threats by forming an incident response plan and monitoring employee behavior.

Mike Rothman, Securosis

MIS/employee support staffs have access to sensitive enterprise and personal information. As a security team, what measures should we recommend if we suspect that they aren't following proper security procedures?

The issue of handling insider bad behavior should fall under an organization's incident response plan. If sensitive and/or personal data might have been compromised, it's a possible incident. As with any incident, the rules of engagement should be defined before there is an issue. That means a documented plan that has been agreed upon by all of the applicable influencers; including legal and human resources groups.

The first thing to do is investigate the issue. Locking down devices and/or denying data access to suspected staff...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

members is one way to go, but that would be a sure tip-off. In most cases, monitoring employee activity and building a case is the most productive plan of action. Keep in mind, this should not be done alone: legal and HR groups need to be involved to make sure any remediation, sanction or other activity is handled legally and within corporate policies.

Once enough information is gathered to prove foul play, then it will be up to the powers that be to handle the situation. Depending on the nature of the transgression, law enforcement may be brought in. In all cases, the documentation and other information that was used to build the case will need to be provided.

Prosecuting an incident is one of the worst parts of being in the security business. But it's critical and unfortunately it's usually best to make a public example of the transgression. You may or may not believe in the power of a "public execution" as a deterrent to future bad behavior – but I do. I've seen it work.

For more information:

In this Ask the Expert Q&A, Shon Harris provides resources you can use to devise an effective incident response plan.
Learn how creating a security awareness program can help thwart the insider threat.

This was last published in September 2007

Dig Deeper on Information Security Incident Response-Information

What to do first when hit by a cyber attack What actions should organisations take if they suspect they have suffered a cyber security incident?

Symantec certificate authority issues listed by Mozilla developers Mozilla developers respond to questionable Symantec certificate authority practices, as the security provider questions Google's proposed solutions.

How to use an incident response policy to better collaborate Several different teams come together to follow an incident response policy after a security breach occurs in an enterprise. Here's how CISOs should manage the process.

Encyclopedia of Ethical Failure (EEF) The Encyclopedia of Ethical Failure (EEF) is a series of case studies that illustrates poor judgement on the part of United States federal employees. In general terms, an ethical failure is a poor decision that intentionally or unintentionally breaks a law or violates an organization's code of conduct.

Incident reporting and employee surveillance laws in other countries When an organisation has employees abroad, the security team must understand employee surveillance laws and incident reporting requirements.

Fines aren't working: time for a Data Protection Offenders' Register On Tuesday the Information Commissioner Christopher Graham announced the outcome of his office's investigation into alleged security failures by ACS:Law, and the imposition of a £1,000 fine on the ...

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Please create a username to comment.

Benefits of using Azure Security Center for security assessments

Use Azure Security Center to conduct a security posture assessment

How container adoption affects container security

The top 10 network security best practices to implement today

SD-WAN explained in 15 key terms and phrases

Cisco earnings foreshadow slowdown in tech spending

Don't let edge computing security concerns derail your plans

Risk-based digital identity benefits CIOs, CMOs and customers

Agile practices endure and continue to adapt

Project Limitless' 5G PC and what desktop admins need to know

Jamf Protect offers visibility, protection for macOS admins

Compare Windows 10 OS editions to determine the best fit

A primer on Alibaba Cloud for Western enterprises

AWS, Azure and Google peppered with outages in same week

Google to unveil post-Chronicle cloud cybersecurity plans

Australian bourse to overhaul technology infrastructure

How businesses can accelerate innovation

University Hospitals Birmingham demos UK’s first remote 5G-powered diagnostic procedure

Dig Deeper on Information Security Incident Response-Information

Related Q&A from Mike Rothman

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.