You’ve discovered an Insider Threat in your business – what do you need to do next?

padlock-lock-chain-keyIf you’ve detected an Insider Threat within your business what do you need to do?

An Insider Threat is a threat to the security of the business from someone within the organisation – this can be malicious or completely unintentional. But the result is the same – there is a threat, and it needs to be dealt with.

Jamie Graves, IS CEO of cyber security company, ZoneFox, and he advises taking the following steps if you discover an Insider Threat:

  • Partner up with your HR department

Ideally, obtain HR buy-in on processes around dealing with the insider threat before it rears its ugly head, but even if it’s too late for that, it’s still important to work WITH the HR team.

  • Back up your actions with documentation

Ensure that there are ample security policies and/or employee agreements that back up any actions that may have to take place due to Insider Threat activity. For example, acceptable use policies, information security policies, and privacy policies.

  • Classification is key

Once an incident is declared, triage must take place very quickly. Understand – as much as possible – whether suspicious activity is intentional or not. A user attempting to pilfer out data intentionally should be handled differently than a user who downloads malware accidentally. The classification step revolves around the “how” and the “why”.

  • Prioritize incidents accordingly

In order to develop timelines for dealing with an Insider Threat, you need to prioritize your incidents. Based on the value of the compromised information assets, the privilege level of the user, and the action being taken, you can build a priority matrix.

For example;

  • P1: Further investigation required right now, all hands on deck, containment is top priority
  • P2: Further investigation required, all hands on deck right now to determine further actions
  • P3: Further investigation required, all hands on deck not required
  • P4: No further investigation required, threat mitigated or nil
  • Decide on a mitigation plan

Devise a plan based on priority level, established processes, and HR agreements. This may include disciplinary measures, and items needed for investigation, such as network activity logs or a user interview.

  • Act when the time is right

With your plan in place, it is time to act. This may include reduced or removed user privileges on high value assets, confiscation of company assets in the user’s possession, and/or interview with HR and cybersecurity teams. Ensure that all parties involved are sending the same message. No good cop/bad cop here!

  • Gather more data

Once you have acted to contain the threat, it is imperative to understand when the activity may have started, if there is more than one party involved, any tools, techniques and procedures put to use, and what the intended target was (if it was intentional). Data is your friend here, and hunting for any and all activities pertaining to this threat in your environment is paramount to getting to the bottom of things. But remember to be discrete.

  • Again, work with HR!

If you have your ducks in a row – the threat is neutralized, and you have next steps in place – this is the time to work with HR to have them deliver any bad news.

Remember, leverage your HR team, keep your policies up to date.  Develop an incident response plan complete with containment and eradication measures. Remember; data is your friend, so have a robust user behaviour analytics engine running behind an endpoint monitoring solution.

With all of the above tools and advice close at hand, hopefully you can sleep better knowing that there is a way to help contain and eradicate the insider threat.

For more advice on how to deal with an Insider Threat, see:


980-x-1248pxAbout ZoneFox

Jamie Graves Ph.D is Co- Founder and CEO of ZoneFox, an Edinburgh-based Cyber Security company.

Established in 2010, ZoneFox, provides progressive security solutions that protect valuable company data and intellectual property against the Insider Threat, with its patented technology.

ZoneFox technology monitors, records and analyses user behaviour across the network and on all endpoints and then alerts on any risky behaviour, accidental or malicious, before it becomes a problem … all without impacting on user privacy or productivity.






LinkedIn Company Page:

More from Family Friendly Working
Should Your Network Be Broad or Deep? By Hilary Briggs, Director R2P Ltd
“It’s not what you know – it’s who you know”. If this...
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.