One of the most effective ways to design an insider threat program or I T. P is to start with the insider threat risk storylines that you're trying to prevent, detect or respond to
think about it as if you were writing the script for an insider threat. Spy TV show.
Each episode is a scenario.
Who are the characters? What are their motivations? What actions do they take?
Building out these narratives for each risk helps define the policies, processes and tools needed to address them.
It also helps avoid scope or scale creep so you can keep your program lean, focused and deliberate.
For example, if we have seen it once, we've seen it 1000 times the departing employees taking company. I pee on their way out.
It would seem cliche if it wasn't still such a pervasive problem.
So let's see how this narrative can help us Structure and Insider Threat program.
Max has Bean, an engineer in our company for about four years.
His career with the company started off un. Remarkably, he did his job, met expectations on was generally a good performer.
About a year ago, he applied for a job rotation program on didn't get the role. I deserve that role. After all the work I've done on Project Starlight, you'd think they would understand how critical I am to the future of this company. And they gave it to Ron. What a hack.
Things started to G o downhill. Max's attitude took a nosedive. He started developing Aled these bad habits, including coming into work late, missing meetings, being combative with co workers.
What's the point of busting my butt when I don't get rewarded for my efforts? Everyone noticed. But people generally felt bad for him, so no one spoke up or thought much of it. It was pretty clear
he was looking for a new job, and people assumed he'd leave before the next performance review cycle.
I'll be out of here soon, and I'm bringing all of my hard work with me.
Sure enough, Max gave his resignation notice. That's when things got a bit more intense. He started bragging to co workers about his new role with the company that was a direct competitors.
It's like he forgot all about the work he had done on the colleagues he had.
He kept saying things about how the new company really understood his true value on how within a few months he'd be able to help them take the number one spot in the industry.
All the work I've done on Project Starlight is really gonna make me a big shot at my new gig. I've been able to copy all my project files to cloud storage so I can access them after I leave.
Not to mention I've been sinking my laptop to, ah, home network. Back up. So all my local files air safely tucked away in my basement. A few months later, everyone was shocked to see a big product announcement from their competitors.
Not only had they beaten them to the market, but their product enhancements were very similar to their own planned product release. So long, suckers.
The overlooked value in stories like these lies in its ability to inform so many aspects of an insider threat program
what we may be lacking in context for our little fictional narrative. It's easy to see what should have been in place here regarding policies, processes and people.
And for that let's hear from Kathleen Sikora
employees that saw concerning behavior by a colleague should have had the training and capabilities to anonymously report their concerns to some type of HR or ethics hotline
managers should have regular check ins with employees to assess not only performance but also job satisfaction, expectations and career development.
They should also have a clear pathway to involve HR in any more serious issues, which should be documented and recorded an employee records. As for off boarding when Max gave his notice, there should have been a defined set of steps potentially across multiple departments to process his separation
everything from disabling access and accounts
to collection of hardware and assets to monitoring of data access and egress leading up to departure, and a formal exit interview, including a reaffirmation of India's and intellectual property agreements.
All of this can inform what type of technology and tools you may need. For example, do you have an HCM that is integrated with your I T and security teams to kick off an employee off boarding checklist
in our little story? Data egress via cloud storage and backups to ah Home network were the major ex filtration vectors.
So what does this story highlight in terms of your I t. P s technical needs.
Do you have tools that give the visibility you need to monitor data egress for departing employees?
What tools and data would be needed toe. Identify this in near real time
with those tools, enable you to understand exactly what I P was taken. And could you retrieve those files?
What does your organization's current cloud collaboration space look like?
Our employees enable to work productively and efficiently and as that balanced with proper security measures and visibility?
These are the types of questions a comprehensive narrative can prompt you to ask as you build out and configure your program.
In this video, we covered one common scenario. Data theft by a departing employee.
But how would you write the story for, say, data exfiltration by high risk employees, potentially the team working on your next big product launch?
What about risks with mergers and acquisitions, or maybe insider trading and collusion?
At the end of the day, these narratives air much more than a fun exercise and storytelling.
By digging deeper into every facet of the story, you can identify insider threat risk attributes and start mapping out the policy process and technology needs of your program.
This is a great opportunity to foster collaboration among insider threats stakeholders like HR, legal and business leaders.
They'll have great insights into aspects of these narratives that will help drive prioritization and use cases for your program.
It will also facilitate cooperation between these stakeholders as the program matures and investigations swing into high gear.
customized these narratives around what is important and specific to your organization and insider threat program objectives,