Insiders, malicious or not, who are putting valuable company data at risk of theft or compromise often go undetected. While their legitimate access to the information does make it more difficult to spot anomalies, the few clues they do leave behind generally go unnoticed due to failures in an organization’s security program. Many factors converge to cause this to happen:

  • Where are my crown jewels? Many organizations don’t understand the sensitivity of their information or where it resides. Therefore, they are unable classify it appropriately and put the right access controls in place, which exposes it to more users than necessary. Additionally, it is impossible for the organization to monitor access since they don’t know what information to keep an eye on.
  • Processes? What processes? In some cases, processes are either lacking or ineffective. These processes might affect data classification, as discussed above, identifying how sensitive a piece of information is. Or they might affect user risk: third parties may be labeled as being riskier then employees, for example. The risk labeling could also be more dynamic and include data around employee satisfaction, promotion rates or HR status.
  • The right tools still don’t work. While many organizations have many tools in place to address insider threats, they still fall through the cracks. One reason is that these technologies operate in siloes. They produce the necessary information, but security specialists can’t connect the dots to derive meaning from it and take action. The same problem exists with individuals who all know something about the users and their access. The application manager, business manager, IT security specialist and internal auditors all hold a piece of the puzzle, but without putting them together they fail to see the big picture.
  • You could be missing anomaly behavior detection methods or tools. Since users are using their legitimate access, it can be hard to spot instances when they are abusing their privileges. Anomaly behavior tools can spot changes in users’ established patterns, indicating that some of their transactions were not done for typical reasons.
  • You are focusing on the wrong users. Many tools now exist to manage and control privileged user lifecycle and access, but they generally focus on infrastructure-level administrators. However, other “golden” users with access to highly valuable information should be given the same scrutiny, including executives and users with access to financial or proprietary data.
  • Your employees might not trust you. Many times, the relationship between the manager and the workers cause threats to go undetected. To avoid any consequences from whistle blowing (potential mistreatment by the manager or other co-workers), suspicious by-standers might not speak up.