The limits of an insider threat program

Insider threats are always on the minds of CISOs, although defining the threat is one of the biggest problems.

Some vendor surveys count external threat actors who get hold of credentials of employees or suppliers as “insiders,” on the reasonable grounds that on the network both looks the same. That boosts the alleged risk of an insider attack to a high per cent, good if you’re a vendor pushing a product. However it could also lead to putting more emphasis on a network defence and not enough on edge or endpoint protection.

Similarly, counting employee errors — misconfiguring a server, clicking on a malicious attachment — as an insider threat may also tip a CISOs strategy in the wrong direction.

Most experts agree the biggest threat to organizations come from outside attackers. But the risk of an insider — employee, partner, contractor, supplier, guest on the network — doing deliberate damage still has to be faced. The best way to do that is having an insider threat program using technologies such as behaviour analytics and alerting.

In a column this week Josh Lefkowitz, CEO of Flashpoint, a business risk intelligence notes that the primary objectives of  such a program is to “deter, detect, and respond to insider threats—not prevent them.” The issue, he argues, isn’t that insider threats can’t be prevented but that prevention occurs largely at the information security level, not the internal threat program level. “Many of the same basic, best-practice information security controls that help organizations mitigate threats such as phishing and malware infections can also help prevent insider threats,” he writes.

By this he means controls such as identity and access management, quickly revoking former employees’ access to company systems, blocking users from accessing personal email, social media, and external instant messengers from inside the network, restricting the use of flash drives and external media storage devices, enforcing bring your own device (BYOD) policies, and ensuring all users are trained thoroughly and often on security awareness and hygiene best practices.

So go ahead, make your insider threat program. But remember who you are looking for, and that prevention solutions really count first.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now