Insider Threat Mitigation

Overview

An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. Insider threat is the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include intentional or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.

Examples of an insider may include: 

• A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information, such as financial data, business strategy, and organizational strengths and weaknesses. In the context of government functions, this could also include classified information. This person may also have both physical and digital access to sensitive spaces.
• A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person). 
• A person to whom the organization has supplied a computer and/or network access. 
• A person who has intimate knowledge about and possibly helps develop the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.

Insider threat incidents are possible in any sector or organization.

CISA’s Role  

CISA provides information and resources to help individuals, organizations, and communities create or improve existing insider threat mitigation programs. Infrastructure communities can protect the nation by working internally to protect against insider threat and sharing lessons learned. Mature insider threat programs are more resilient to disruptions, should they occur.

The key steps to mitigate insider threat are Define, Detect and Identify, Assess, and Manage. Threat detection and identification is the process by which persons who might present an insider threat risk due to their observable, concerning behaviors come to the attention of an organization or insider threat team. Threat assessments are based on behaviors, which are variable in nature. A threat assessment’s goal is to prevent an insider incident, whether intentional or unintentional. When an assessment suggests that the person of concern has the interest, motive, and ability to attempt a disruptive or destructive act, the threat management team should recommend and coordinate approved measures to continuously monitor, manage, and mitigate the risk of harmful actions.