The ultimate guide to building an insider threat program -

In today’s digitized world, organizations capture & store an enormous amount of consumer data. This data is leveraged for valuable insights to drive business growth. While data has powered some of the most rewarding business innovations over the last decade, there’s a real challenge with protecting consumer data and privacy.

Data breaches happen all the time - this year alone we will have almost 5,000 reported internal data breaches (as estimated by the Ponemon Institute).

A data breach cost organizations millions of dollars in fines, remediations, and lost revenue. As per the 2020 Cost of Insider Threats Global Report by the Ponemon Institute, the average cost of an internal data breach is $11.5 million.

Outside of these costs, companies suffer from a great loss of trust, each time they suffer from a data breach. This trust then takes years to rebuild, if rebuilding it is even possible.

So why do these internal breaches happen?

  • Businesses are highly focused on protection against external cyber threats. The typical high-priority security infrastructure includes anti-malware, external firewalls, DDoS attack mitigation, external data loss prevention, etc.
  • Internal stakeholders - employees, contractors and partners - are viewed as much more benign. So companies choose to deal with them using training and trust
  • Internal threat mitigation is limited to access control, encryption, etc. These methods divide insiders into haves and have-nots, a way to restrict access to sensitive data.

What is lacking in this situation is an understanding of how data is used internally. Businesses that do not know how insiders use data, they have no methods to prevent breaches that happen because of the former’s carelessness or malfeasance.

And that is the reason why we still have so many insider breaches. But let’s take a step back and clearly define what an insider threat actually means.

What is an Insider Threat?

Insider threats can be defined as security risks to the organizational data and systems which originate “inside” the organization. The term “inside” needs to be explained further. We do not mean only within the perimeter of the business’ offices i.e. your current employees. Insider threats can also originate from anyone who has or may have had access to your organization’s systems and data stores. Which means contractors’ and partners’ employees also fall within the definition of an “insider”.

While external threats are always intentional, insider threats can originate from an intentional or unintentional act.


Businesses are highly focused on protection against external cyber threats. The typical high-priority security infrastructure includes anti-malware, external firewalls, DDoS attack mitigation, external data loss prevention, etc.

Carelessness or lack of training

Insiders can sometimes unknowingly expose the system to threats. For example, an employee who intends no harm may click on an insecure link, infecting the system with malware or misplaces a company laptop with confidential data on it.

Break Ins

These are situations where a malicious outsider has managed to gain insider access to a privileged network and wreaks havoc on the system. For example, a mole infiltrates your CRM by gaining access to an employee’s login credentials when they were using a public network in a cafe.

dasera information

Why are insider threats a bigger deal now?

There are multiple reasons why insider threats are even more significant and harmful in the current times, compared to even a few years ago.

Customer Analytics Vs Data Security

Organizations today capture and store huge amounts of consumer data every single day. And this data is used prolifically by data science teams, business analysts and engineers to derive actionable insights. Data is often parsed through analytical engines, AI and Machine learning algorithms. Which means consumer data is not only stored in greater numbers, but also the number of system and human interactions with the data has grown manifold. More interaction and use also means exposing the data to security vulnerabilities. Are organizations really equipped to safely use so much data?

Greater Consumer Awareness & Stricter Privacy Laws

According to a survey done by PwC, only 25% of the consumers believe that most companies handle their sensitive personal data responsibly. Consumers today are more aware of data security vulnerabilities and their right to adequate data protection. Recent breaches (e.g. Facebook, Ticketmaster, Marriott) received a lot of news and social media attention, resulting in significant erosion of brand trust.

This has resulted in greater privacy protection across geographies. In fact, data privacy laws are now increasingly recognized as a fundamental human right. Governments worldwide have enforced strict regulations like GDPR and CCPA. If companies fail to adequately protect consumer data, they now risk suffering consequences from regulators in terms of hefty fines and also customer churn on account of trust loss in the brand.

Download the CCPA Datasheet

datasheet cloud

Data Portability

Data has also never been more portable. In today’s open and cloud based collaborative work environments, employees can easily transfer, share or remove data. Which means any exfiltrated data or PII can easily find its way to the web, email, or personal cloud storage services like Dropbox. This definitely poses a risk of data loss and theft.

All it takes is one data breach and an organization could lose millions of dollars in revenue, penalty for non-compliance and damage to reputation. So, how much can an insider breach potentially cost your business?

Financial losses from Insider Threats

As per the Ponemon Institute’s 2020 Cost of Insider Threats Global Report, the average global cost of Insider Threats has increased by 31% in the last two years to $11.45 million. Also, the frequency of incidents spiked by 47% in the same time period.

The financial impact of an insider breach largely depends on how soon an organization can discover it, and take appropriate actions. The Ponemon Report reveals that it took organizations an average of 77 days to contain an insider-related incident. Only 13% respondents managed to get the threat under control within a month.


Breaches that took longer to detect and contain cost much higher than others:

  • Incidents that took more than 90 days to contain cost organizations an average of $13.71 million
  • If incidents were contained within 30 days, the average cost was lower at $7.12M

Breakdown of Insider Threat costs

Why does it cost millions of dollars to deal with insider breaches? We have broken down the overall costs into categories for a more detailed understanding of the impact of each breach:

dasera graph
  • Direct & Indirect labor includes both direct and indirect costs associated with in house personnel and temporary and contract workers needed to identify the cause, track the impact, contain the impact of the breach, and set up safeguards to ensure the incident does not reoccur in the future
  • Process cost includes governance and control system activities in response to threats and attacks
  • The cost of disruption includes diminished employee/user productivity as a result of insider incidents
  • Technology cost includes the amortized value plus licensing fees for software and hardware that are deployed in response to insider related incidents.
  • Overhead includes a wide array of miscellaneous costs incurred to support personnel and the IT security infrastructure.
The financial impact of an insider breach can also differ by industry and company size:
  • The financial services sector had the maximum impact, with an average cost of $14.05 million per breach
  • The Services and Technology industries had the next highest costs at $12.31 million and $12.30 million respectively.
  • Organizations with 25,000 to 75,000 employees lost an average of $17.92 million to insider threats
  • Smaller businesses (500 to 1000 employees) incurred $6.92 million in such costs.

Potential Insider Threat Indicators

Like we saw in the introduction, applying zero trust policies for access control, PAM, and encryption help create an environment of least privileges. However, it can never help businesses protect against unsafe use by those who do have access to sensitive data.

This is where it gets important to understand human behavior and predict risks. Human behavioral warnings can be an indication of potential issues. Digital forensics and analytics can help detect and even prevent insider threats.

Human behavioral Indicators typically include the following
  • Seeking to obtain access to critical assets inconsistent with present duty requirements
  • Unreported or frequent foreign travel Unreported offer of financial assistance, gifts, or favors by a foreign national or stranger
  • Frequently seen in the office during off-hours
  • Being disgruntled with manager, team or organization. Disgruntled employees may try to seek revenge by leaking or deleting critical or confidential information
  • Sudden changes in financial circumstances e.g. displaying unexplained or undue affluence
  • Attempting to place personnel with access to critical assets under obligation through special treatment, favors, gifts, money, or other means
Digital actions typically include

What is an Insider Threat Program?

With insider threats on the rise, businesses are beginning to create formal Insider Threat Programs as a critical component of their cybersecurity strategy. An insider threat program outlines measures to prevent, detect, and remediate insider attacks. The objective of an Insider Threat program is to detect anomalies as early as possible and trigger preventive actions before assets, data or personnel are compromised.

8 Steps to Build an Effective Insider Threat Program
Step1. Define the scope of the program

Begin by defining which departments, personnel, or processes will fall under the scope of the program. This may depend on the most critical risks identified by the organization or as defined by the industry regulations and cybersecurity requirements.

Pro Tip

Remember to clearly include all partners and contractors who have access to your sensitive data or network infrastructure. Also, clearly identify the situations under which an external attack needs to be considered within the purview of an insider threat (e.g. what a hacker does with stolen credentials).

Step 2. Identify the assets and stakeholders

Once you have defined the scope, the next step is to identify the critical assets that must be protected. These can be both physical and virtual assets. The assets could include facilities, source code, IP, R&D information, customer data, employee data, etc.

Once the assets have been identified, it’s important to list out all the stakeholders of an insider threat program. The IT/Security department alone can’t manage and drive a robust insider threat program. The program should have one owner but a broad set of invested stakeholders from different disciplines who can serve as change agents, translate the program strategic vision into practice, get management buy-in and ensure the program’s success.

Pro Tip

Consider including people from these functions in your list of stakeholders: Human Resources, Policy Coordination, Office of General Counsel, IT, Security Operations, Finance & Administration, etc.

Step 3. Create the implementation team

The next step is to form a working team composed of experts from these different departments. This team should be headed by a Program Owner, someone with a senior executive job title. The owner drives decision making, strategizing and program advocacy across the organization.

The implementation team is responsible for overseeing the implementation, review, and updates to the insider threat program. They meet on a regular basis and create action plans which other teams help implement.

Pro Tip

Define an agenda for the implementation team meetings that includes analysis of threat data (from the past 30 days if it’s a monthly meeting), presentation of any audits, new policy suggestions, function/IT system based updates, etc.

Step 4. Get management buy-in

Management buy-in is essential for a successful implementation, not just from a resource or budget-approval perspective, but also as a strong supporter for the initiative. For an insider threat program to be successful, it must have strong executive support in a very frontline, visible, and even celebrated way. These programs can be largely unsuccessful without full participation from the top down. If the team has management buy-in, it is much easier for the working team to get the required cross functional and employee support during the implementation and while launching remedial actions.

Pro Tip

Try garnering executive support beginning with the C-suite (except the CISO). Alternately, try to develop the program as a mandate from the board of directors itself. The most successful security programs have the highest level of executive sponsorship.

Step 5. Analyze data usage

One of the key elements of an insider threat program is to understand how insiders interact with, or USE data, especially sensitive data like consumer accounts or behavioral data. Based on the needs of different teams - IT, Engineering, Ops, Data Science, HR, Customer Support, etc. - you might need to tweak your policies and safeguards e.g. a data science team might have to run statistical analytics on data sets whereas a Customer Support rep might have to access an individual’s account data. Institute a repeatable audit process to understand the data usage behaviors of individuals e.g. by analyzing SQL queries used to analyze customer data.

Pro Tip

Having an automated solution like Dasera ensures you always know, in near real-time, if there was any data exfiltration attempt, a privacy violation, or an anomalous behavior from an insider’s account. This helps your insider threat program’s remediation to get activated quickly and prevent data from “leaving the premises”.

Step 6. Create a risk assessment map

Develop a risk assessment map showcasing an accurate status of the current state of the security vulnerabilities and potential threats corresponding to all the critical assets. List down all the data associated with the assets that need to be protected and details about the data.

For example

  • What is the value of this data to the organization?
  • What would be the consequences in case of a data breach — include compliance fines, lawsuits, revenue loss, and loss of reputation
  • Who would be interested in stealing this data, and why?
  • How valuable would it be to the others e.g. hackers, competitors, etc.?
  • Which Insider Threat is more likely to steal it? Is it a likely target for a malicious insider? Is it something that an employee could easily accidentally email to an unauthorized party? Could a partner leak it?
Pro Tip

In the risk assessment map, also map out all unexpected insider behaviors for each kind of data asset. For example, in my customer purchase history, it is unusual for someone from the data science team to be looking for a specific consumer’s PII. This helps support risk monitoring policies and remediation plans.

Step 7. Create a remediation plan

Post the risk assessment, formulate a remediation plan comprising

  • Define Insider triggers: Focus on the most common data exfiltration scenarios. There are few common use cases that impact nearly every organization e.g employees resigning, high-risk workers, accidental leakage and organizational changes like re-organization, M&A, etc. These use cases make up the vast majority of insider threat incidents, and serve as the foundational triggers of the insider threat program.
  • Assign Security controls & Technology elements that need to be in place: List down policy governing each trigger, information to be captured by different systems and the analytics that need to done for inferring the intent.
  • Define Action/workflow corresponding to each trigger: Clearly define the workflow for each trigger and consistently execute and improve the steps you establish. E,g, when an employee departure is triggered, define which activities will be examined and what activities will trigger in-depth investigation.
  • Create Rules of Engagement: Define which and how different stakeholders will engage once a workflow has been triggered and potential data exfiltration identified. For example, Employee exit and accidental leakage incidents will likely trigger engagement from HR and the line-of-business manager. A M&A workflow might trigger engagement from legal staff or a CFO.
Pro Tip

Rules of engagement for IT & Cybersecurity should not include any enforcement responsibilities . This allows them to focus completely on monitoring, detection and remediation and prevents developing a“data police” relationship with employees.

Step 8. Audit your program on an ongoing basis

Insider threat protection is a continuous process. For continuously improving the effectiveness of the program, schedule periodic exercises that pose various scenarios to test Insider Threat inquiry and response action procedures. These exercises will test the adequacy of Insider Threat indicators, triggers, thresholds, and the measures and safeguards in place to ensure compliance with the underlying policies and applicable laws. Security managers can list the gaps and suggest recommendations to address identified vulnerabilities to the management.

Pro Tip

Conduct the review exercise at least twice a year. Cybersecurity personnel should work closely with stakeholders and behavioral and analytic experts to reassess the indicators and refine thresholds and triggers as per the changes in the threat, work, and technology environments.

Best Practices For Building An Insider Threat Program

With insider threats on the rise, businesses are beginning to create formal Insider Threat Programs as a critical component of their cybersecurity strategy. An insider threat program outlines measures to prevent, detect, and remediate insider attacks. The objective of an Insider Threat program is to detect anomalies as early as possible and trigger preventive actions before assets, data or personnel are compromised.


Identify the potential causes of insider breaches in your company and industry

It’s worthwhile to analyze data breaches in your organization and industry critically and understand the real “intent” behind them. This will not only help spot behavioral anomalies faster, but also enable the organization to put the right controls and remediation strategy in place for a successful program.


Align Terminology with the Culture

Program terminology is as important as the program design. Adopt a terminology which is well-aligned with your organizations’ culture and resonates well with employees. There are chances that the name “Insider Threat Program” will be negatively perceived by employees. We suggest you select a more benign name. For example, some organizations use names such as “Core Asset Protection” program, “Employee Protection Program”, “User Protection Program”, etc. The underlying message is that data and employees are both equally important to the organization. It may seem trivial, but an appropriately-named program will have wider acceptance and significant impact on the success of the program.


Be Transparent & Establish Trust

Insider Threat programs cannot be run in isolation by the IT Security or management team but in partnership with employees. Treat your employees as partners to the program. Communicate that you trust them with the organizations’ highly confidential and valuable data. However, with the rise in data breaches, necessary controls also need to be put in place. Be transparent and have guidelines in place that clearly explain what behaviors are being monitored, employee’s workplace privacy rights, and repercussions in cases of accidental or intentional data breaches. This approach will enable employees to make the right decisions and act responsibly.


Emphasize the “Personal” Benefits

It is important that employees understand that an Insider Threat Program is not only critical for organization but for them as well. Make them realize that any data breach will impact the organization’s financial stability and reputation. And that this will impact them and their peers personally as well. On the other hand, compliance with rules and expectations results in safeguarding intellectual assets and enables the organization to perform better. This in turn will benefit them in terms of compensation, career growth and other opportunities.


Build the Culture

Culture eats strategy for breakfast. This is true, invariably, for the success of any organization-wide initiative. An effective Insider Threat program requires mindset transformation of employees and all the stakeholders, and this doesn’t happen overnight. Organizations need to make a conscious effort in order to integrate “security awareness” into their culture. This has to be done through adequate training at all levels, putting necessary guidelines, policies and protocols in place, and developing a transparent system where employees can freely raise their concerns and make recommendations.


Focus on Automated Monitoring

It’s clear that Insider Threat programs are all about identifying anomalous behaviors and taking appropriate remedial actions. It’s also crucial to understand the real intent behind these behaviors. That’s why organizations should invest in solutions that automatically analyze user behaviors to learn more about the baseline behavioral and identify anomalies in real time.

These metrics may not be the ones that traditional security systems report on e.g. knowing who accessed a data base when and from which device is not enough any more; it is critical to understand what they did once they accessed the database.

Adopting and implementing an Insider threat program isn’t a choice for organizations any more, but a necessity for thriving in today’s digital world.

Continuous improvement, developing the right culture, effective communication throughout the organization, developing a partnership with employees, and a tech stack focused on insider behaviors are some key success factors for an effective Insider Threat Program.

We hope you found this article useful. Do check out the Dasera platform that automatically finds, flags, and rewrites unsafe queries executed by insiders on your critical data warehouses.

cross dasera