​Do you have an Insider Threat Program?

Insider threats are increasingly on our radar, we saw a recent example in Australia with an Bluescope Steel employee taking out company documents. Also two scientists at Glaxo Smith Kline research scientists in another well publicised incident- Yu Xue and Lucy Xi, were charged with stealing trade secrets.

Now in the murky shadow of wikileaks, we have if you like ‘a whistleblower on whistleblowers’. A new insider threat program is to identify these malicious individuals has been created by Obama administration’s USA Office of National Intelligence, noted that:

“An insider threat arises when a person with authorized access to U.S. Government resources… uses that access to harm the security of the United States. Malicious insiders can inflict incalculable damage. They enable the enemy to plant boots behind our lines and can compromise our nation's most important endeavors.” [1]

Continous Evaluation

This is not something that can be opted out from and you have no choice in this matter. In the USA, there are around 100,000 military, civilians and contractors that are under such surveillance.

In scope is total surveillance of US personnel that have specific access to classified information; and includes electronic emails, messages and communications (using what is referred to as ‘push and pull’ approaches)

The reality is that this approach is about monitoring electronic behaviour both on the job as well as off the job to detect potential threats. Indeed the US government is taking insider threats seriously.

The Insiders

Both the FBI and Department of Homeland Security agree that so called ‘insider threats’ have increased and pose a serious risk.

This level of surveillance will capture both the accidental and malicious.

An ‘accidental insider’ is those targeted by adversaries such as a spear phising attack from a known source or friendly source. In the main such insiders are unaware that there is potential or actual risk.

On the other hand, ‘malicious insiders’ are individuals who set out to deliberately cause harm; they realise that their actions can cause real damage.

Ultra Sensitive?


Clearly having an Insider Threat program will always be ultra sensitive. Most enterprises have some level of this monitoring that is underway. There are various tools that both monitor and prevent information leakage.

What is clear though is that often such reporting goes to someone is HR or even worse a member of IT. It is not that you that trust is an issue, but instead they (HR and IT) may have no idea what files are actually acceptable to be shared outside.

‘Best practice’ that I have seen is where the technology, process and people all intersect and a supervisor gets a notification of what files their staff members have copied etc.

No Budget

Most enterprises also do not have a budget for insider threats and this also works against this being taken seriously. Instead we have to approach this problem with a mindset that ‘insider threat’ either innocent or malicious is a near certainty.

Taking that approach means we have to be always on the lookout to detect such patterns and don’t wait for an issue to occur.

Against the HR grain

This also means that we proactively monitor our staff at the same time that we impeach empowerment and giving authority to teams. There are also modern day work pressures that work is no longer just performed in the office, sending a file to one’s home email address may be innocent but can’t be allowed in today’s world.

A recent Harvard article talked about “how most of us think about trust as a black and white decision”.

“We trust you or we don’t. In business relationships, trust is rarely so clear cut…… rather than black or white, a better approach is to think of trust more like a barometer. Trust goes up and down depending on the circumstances” [2]

Unfortunately it is not good enough to use your natural tendency and base trust on gut reaction. We all need to look at putting an Insider Threat program and specifically a Continous Monitoring approach.



[1] http://www.ncsc.gov/issues/ithreat/

[2] https://hbr.org/2015/09/what-to-do-when-you-dont-trust-your-team


Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags Threat ProgramDavid Gee

More about FBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place