Insider threat programs started with counter-espionage cases in the government. Today, insider threat programs have become a more common practice in all industries, as companies understand the risks associated with not having one. To build a program, you must first understand what an insider threat is.

An insider threat is an employee, contractor, visitor or other insider who have been granted physical or logical access to a company that can cause extensive damage. Damage ranges from emotional or physical injury, to personnel, financial and reputational loss to data loss/manipulation or destruction of assets.

Financial and confidential information

While malicious insiders only make up 22% of the threats, they have the most impact on an organization

Most threats are derived from the accidental insider. For example, it’s the person who is working on a competitive sales pitch on an airplane and is plugging in financial and confidential information. They are working hard, yet their company’s information is exposed to everyone around them. Another type of insider, the compromised insider, is the person who accidentally downloaded malware when clicking on a fake, urgent email, exposing their information.

Malicious insiders cause the greatest concerns. These are the rogue employees who may feel threatened. They may turn violent or take action to damage the company. Or you have the criminal actor employees who are truly malicious and have been hired or bribed by another company to gather intel. Their goal is to gather data and assets to cause damage for a specific purpose. While malicious insiders only make up 22% of the threats, they have the most impact on an organization. They can cause brand and financial damage, along with physical and mental damage.

Insider threat program

Once you determine you need an insider threat program, you need to build a business case and support it with requirements. Depending on your industry, you can start with regulatory requirements such as HIPAA, NERC CIP, PCI, etc. Talk to your regulator and get their input.

Everyone needs to be onboard, understand the intricacies of enacting a program

Next, get a top to bottom risk assessment to learn your organization’s risks. A risk assessment will help you prioritize your risks and provide recommendations about what you need to include in your program.

Begin by meeting with senior leadership, including your CEO to discuss expectations. Creating an insider threat program will change the company culture, and the CEO must understand the gravity of his/her decision before moving forward. Everyone needs to be onboard, understand the intricacies of enacting a program and support it before its implemented.

Determining the level of monitoring

The size and complexity of your company will determine the type of program needed. One size does not fit all. It will determine what technologies are required and how much personnel is needed to execute the program. The company must determine what level of monitoring is needed to meet their goals.

After the leadership team decides, form a steering committee that includes someone from legal, HR and IT. Other departments can join as necessary. This team sets up the structure, lays out the plan, determines the budget and what type of technologies are needed. For small companies, the best value is education. Educate your employees about the program, build the culture and promote awareness. Teach employees about the behaviors you are looking for and how to report them.

Behavioral analysis software

Every company is different and you need to determine what will gain employee support

The steering committee will need to decide what is out of scope. Every company is different and you need to determine what will gain employee support. The tools put in place cannot monitor employee productivity (web surfing). That is out of scope and will disrupt the company culture.

What technology does your organization need to detect insider threats? Organizations need software solutions that monitor, aggregate and analyze data to identify potential threats. Behavioral analysis software looks at patterns of behavior and identifies anomalies. Use business intelligence/data analytics solutions to solve this challenge. This solution learns the normal behavior of people and notifies security staff when behavior changes. This is done by setting a set risk score. Once the score crosses a determined threshold, an alert is triggered.

Case and incident management tools

Predictive analytics technology reviews behaviors and identifies sensitive areas of companies (pharmacies, server rooms) or files (HR, finance, development). If it sees anomalous behavior, it can predict behaviours. It can determine if someone is going to take data. It helps companies take steps to get ahead of bad behavior.

If an employee sends hostile emails, they are picked up and an alert is triggered

User sentiment detection software can work in real time. If an employee sends hostile emails, they are picked up and an alert is triggered. The SOC and HR are notified and security dispatched. Depending on how a company has this process set-up, it could potentially save lives. Now that your organization has all this data, how do you pull it together? Case and incident management tools can pool data points and create threat dashboards.

Cyber detection system with access control

An integrated security system is recommended to be successful. It will eliminate bubbles and share data to see real-time patterns. If HR, security and compliance departments are doing investigations, they can consolidate systems into the same tool to have better data aggregation. Companies can link their IT/cyber detection system with access control. Deploying a true, integrated, open system provides a better insider threat program.

Big companies should invest in trained counterintelligence investigators to operate the program. They can help identify the sensitive areas, identify who the people are that have the most access to them, or are in a position to do the greatest amount of harm to the company and who to put mitigation plans around to protect them. They also run the investigations.

Potential risky behavior

Using the right technology along with thorough processes will result in a successful program

You need to detect which individuals are interacting with information systems that pose the greatest potential risk. You need to rapidly and thoroughly understand the user’s potential risky behavior and the context around it. Context is important. You need to decide what to investigate and make it clear to employees. Otherwise you will create a negative culture at your company.

Develop a security-aware culture. Involve the crowd. Get an app so if someone sees something they can say something. IT should not run the insider threat program. IT is the most privileged department in an organization. If something goes wrong with an IT person, they have the most ability to do harm and cover their tracks. They need to be an important partner, but don’t let them have ownership and don’t let their administrators have access.

Educating your employees and creating a positive culture around an insider threat program takes time and patience. Using the right technology along with thorough processes will result in a successful program. It’s okay to start small and build.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Dan Bissmeyer Business Development Manager, AMAG Technology, Inc.

In case you missed it

Facial Recognition: Contactless Solutions For A Safe, Post-pandemic World
Facial Recognition: Contactless Solutions For A Safe, Post-pandemic World

Facial recognition technology has come a long way since it first came to market several years ago. Initially plagued with technical challenges and widely viewed as a futuristic solution, facial recognition is now firmly implanted in numerous consumer and business products and applications. New advancement in software, specifically in the areas of algorithms, neural networks and deep learning and/or artificial intelligence (AI), have all dramatically improved both the performance and accuracy of facial recognition, further expanding its use for an increasing number of applications. From a purely business perspective, facial recognition’s powerful identification and authentication capabilities make it ideal for two primary applications: first as a security tool, and second as a workforce management solution. The touchless, accurate credential solution Facial recognition readers meet the new emerging need to limit physical exposure to germs and viruses Even before the COVID-19 pandemic, the touchless nature of facial recognition as an access credential was gaining traction with physical and cyber security professionals. By using an individual’s face as an access control credential, facial recognition eliminates the need and expense of physical cards and proximity devices, or the need to physically enter PIN codes. In addition, facial recognition readers meet the new emerging need to limit physical exposure to germs and viruses by offering a highly accurate touchless access control credentialing solution. As a workforce management tool, facial recognition helps preserve the health of employees checking into work, while providing management with an infallible means of documenting employee time and attendance while providing a detailed history of overall workforce activity and individual personnel tracking. Both of which have been longstanding challenges due to easily compromised time tracking systems and practices. Now, nothing is left to question based on hard data. With the growing popularity of facial recognition technology, there are many choices already available with more undoubtedly on the way. Selecting the right solution for your specific access control and/or workforce management application is dependent on a very wide range of variables. But there are a few core characteristics that you should look for when evaluating facial recognition readers. Wide and near-angle LEDs Most facial recognition terminals employ some form of IR (Infrared) technology to help ensure high visibility by the unit’s image sensor. This often limits where the unit can be installed such as outdoors or near windows due to strong ambient light. More advanced facial recognition readers employ as many as 80 wide-angle near infrared LEDs and 60 narrow-angle near infrared LEDs, allowing the unit to recognize faces even in full daylight and brightly lit environments (not direct sun). This enables installation at indoor locations near windows, lobbies and building entries. 3D pixel intensity distribution analysis Another facial recognition reader advancement to look for involves three-dimensional pixel intensity analysis. Ambient lighting contains ultraviolet rays which can negate near infrared LED lighting, and can also cast shadows making it difficult for a facial recognition reader to pinpoint the facial recognition points required for identification and authentication. Three-dimensional pixel intensity distribution analysis minimizes the effects of ambient light when acquiring facial images by minimizing lighting contrasts. As a result, it is easier for the algorithm to recognize the shape of the face, enabling it to extract more facial features and create higher quality face templates, which are critical for accurate facial recognition. Functional ergonomics This results in a faster, more comfortable, and convenient user experience The angle and position of a facial recognition reader directly impact the performance of the unit. Facial recognition readers with different viewing angles for built-in visual and infrared cameras allows users to stand at positions that are most suitable for facial recognition with little or no effort of contortions. This results in a faster, more comfortable, and convenient user experience. High performance processing Like any intelligent edge device, the performance of a facial recognition solution is directly reliant on its processing power. New advanced facial recognition readers deliver exceptional performance by employing enhanced face template extraction technology combined with powerful processor. For example, a facial recognition reader with a 1.4 GHz quad-core processor can perform up to 3,000 facial database matches (1:N) within one second. More advanced solutions also feature Group Matching functionality capable of executing up to 30,000 matches within one second. Live face detection It is most important that the facial recognition readers you evaluate are capable of analyzing faces in real time to maintain fluid entry/egress even during high volumes of employee traffic. Hardware-dependent live face detection systems employing technologies such as facial thermogram recognition and facial vein recognition require expensive hardware components, provide less accurate matches and slower authentication performance, which is counterintuitive for mainstream access control and workforce management applications. Dual authentication for added security Although the use of an advanced facial recognition reader provides the convenience, health benefits and cost-savings of touchless identification and authentication, there are many applications where more than one credential may be necessary to ensure the highest levels of security. Advanced facial recognition readers with multimodal, multifactor credentialing capabilities provide this added security benefit. For example, facial recognition readers that support multiple RFID proximity devices supporting 125 kHz and 13.56 MHz provide varying degrees of protection and greater implementation versatility. Videophone or intercom capabilities Facial recognition readers with multifunctionality can solve several challenges with one solution Facial recognition readers with multifunctionality can solve several challenges with one solution. A perfect example includes devices with SIP (session initiation protocol) videophone capabilities which effectively eliminate the need and associated expense of  installing separate intercom devices while adding another layer of security to one’s facility. The COVID-19 pandemic, and hopefully soon to follow post-pandemic world, have surely accelerated the need for highly accurate, cost-efficient, and reliable facial recognition technologies to help get people back to work safely. Selecting the right facial recognition solution for your specific access control and/or workforce management is now more important than ever before, making a little extra due diligence during the evaluation process a smart decision.

Thermal Cameras and Smart Cities: Preventing COVID-19 in Public Places
Thermal Cameras and Smart Cities: Preventing COVID-19 in Public Places

With the pandemic still in full swing and no certainty as to when exactly it will come to an end, the world has been battling anxiety for months now. And with each day, circumstances change quickly and almost make it impossible to predict what will happen next, how events will unfold, and what actions to take in light of a new situation. But one thing is certain: the world has been shut down and paralyzed for way too long, and the eventual reopening is unavoidable – in fact, it’s well under way. In this situation, what is possible to control is how the world will continue reopening – and specifically, how to ensure the safest possible reopening that will ensure the return of some degree of normalcy to people’s lives and business operations, while also managing the risk of COVID’s spread in the most efficient way. Our highly digitised, technologically advanced world This is when the power of technology comes to rescue the day: what truly sets the global crisis we face today apart from other calamities that humanity has encountered over year is the fact that it has developed in a highly digitised, technologically advanced world where each day brings about innovations with a sole purpose to make daily life and operations easier and more streamlined. And among these, the star of the past decade has been artificial intelligence. The world has been shut down and paralyzed for way too long, and the eventual reopening is unavoidable – in fact, it’s well under way While AI has many avenues of introducing efficiency and fast problem-solving, there is one specific application that will further fuel the reopening of the world and successfully keep the spread of the virus abate. This “collaborative security” application includes a synthesis of smart video analytics, facial recognition, object identification/detection, and thermal cameras that can support the reopening of businesses globally when installed within those facilities frequented by customers. With such a level of sophistication that can ensure uninterrupted monitoring and analysis of large public spaces, these AI technologies can ideally operate best as cloud solutions to ensure a collaborative network with maximum scalability and widespread implementation. As these technologies increase in ubiquity and find their way into daily operations of businesses globally, the cost of the smart solutions will decrease proportionally to the growth of their reach. There are some highly specific ways to create this collaborative network of interconnected safety tools in the current climate. Here are some applications that have been successful to date and will increase in usability in the foreseeable future, creating “smart cities” working together towards a safer, more secure world. Maintaining social distancing practices The most important step everyone around the world has taken to contribute to the effort of slowing the spread of the virus has been social distancing. A six-foot-distance has become a new social norm that has quickly been adopted globally and become a habit to people who are naturally used to being close to others and socialising without giving distance a second thought. The star of the past decade has been artificial intelligence So, it is natural that such distancing measures take time to get accustomed to – and it is also natural that individuals may forget about them from time to time. To help maintain the six-foot distance between people at all times and give them slight nudges to keep the rule top of their minds, AI video technology can be trained to estimate the distance between individuals in public and commercial areas and identify the cases in which people get too close to each other. By notifying local merchants or authorities about such cases, the system can help ensure the safety of everyone in the area at all times while positively reinforcing the public to gradually get more accustomed to maintaining the distance and thus helping stop the spread of the virus. Detecting the virus through facial recognition Perhaps the straightforward application of such high-level technology is using video surveillance to identify persons of interest who have tested positive for the virus. Modern AI has the ability to identify facial features and characteristics with a unique level of granularity, making it possible to identify individuals whose records show they have antibodies from those who can be potential carriers of the virus. After the initial differentiation and identification, the system can then notify the employers and employees of the facility about the results of the conducted analysis and the pursuant results, allowing them to be more vigilant and take action where necessary to ensure a safe experience for everyone. PPE reinforcement Wearing a mask or some sort of face coverage in public spaces and especially within facilities (such as stores, for instance) has been - and will continue to be - a requirement for maintaining a safe and healthy environment for people to continue with their day-to-day lives and businesses to resume regular operations. To this extent, the object detection and identification abilities of smart cameras can further reinforce this requirement and ensure that the absence of protective equipment doesn’t go unnoticed.  Essentially, these cameras can easily identify if an individual has coverage at any given point of time or not, notifying the local authorities about any risks immediately and helping them maintain necessary safety measures without having to interrupt their workflow or worry about missing a visitor without a mask. Detecting high temperature One of the key (and the most widespread) symptoms of COVID-19 is a high fever - a certain indicator of whether an individual may have been infected with the virus or not. While identifying fever with a regular human eye is nearly impossible, AI can do so at a fraction of time by quickly scanning body temperatures of any incoming individuals and determine whether it’s above CDC’s recommended temperature of 100.4F in order to determine the risk factor and notify the local authorities to take action. Modern AI has the ability to identify facial features and characteristics with a unique level of granularity This technology is a good tactic to objectively assess potential risks that come with elevated temperatures - and sometimes, the people themselves might not realize they might (unconsciously) be carriers of the virus and thus endanger the safety of others in their vicinity. The technology is yet another step towards ensuring a safer reopening of the global economy and a more streamlined way of getting back on track while minimizing the risk of spreading the virus further. It’s not all about the theory  We have tested the described approaches in our own R&D campus in Europe. The latest release of the IREX cloud enables remote fever detection and monitoring of social isolation and mask policies with AI. We have integrated thermal cameras to detect people with elevated temperature and CCTV cameras for identification and notifying those who potentially ill. In case of any health threat, the venue manager gets an instant message with a picture and exact location. These preventive steps helped our employees return to the office months earlier than it's happening in other countries. Moreover, personnel coming back to the office by their own wish as now they feel a virus-free environment in the campus - even safer than in their own homes. Now we are launching a pilot project for a well-known pharmacy chain in Florida, USA. With the help of a Computer Vision platform, staff will be able to divide customer traffic into those with normal body temperature and those who come in with elevated temperatures, as well as effectively monitor social distance norms. The goal of our potential client is to maximize the safety of customers in the post-pandemic period. Also, IREX is already deployed across hundreds of locations in the UK and will add health monitoring capability soon.

Can CCTV Become A More Effective Tool?
Can CCTV Become A More Effective Tool?

We all know that having CCTV around your home can help to protect you and your family. Without CCTV, you could end up in danger and an intruder could get away with breaking into your house, hurting your loved ones and stealing your possessions. Similarly, without CCTV in the office, you’ll be leaving yourself open to all kinds of damage and could lose a lot of equipment in the process. In short, making sure you have CCTV is important for both home and business security. However, it can be improved to become a more effective system so that you’re better protected, and can even deter a potential intruder without having to panic. In our world of ever-changing technology, we’re able to upgrade and enhance our CCTV systems so they can become a monitored system. Remote CCTV monitoring is an ideal way to protect everyone and everything whether you’re at home or at a workplace. What is remote CCTV monitoring? For a long time, CCTV was one of the best ways to keep your home, the office and people safe. But people started to notice that it would only deter people so much of the time and often the cameras were ignored by intruders. They would just cover their faces and hope for the best as they steal from a home, office or any other premises. Remote CCTV monitoring is a system that can loop into your existing CCTV, or come preinstalled with a new system. This technology sends a feed to a control room full of trained operators that are on call 24/7. Within this control room, operators are able to respond to any sort of distress call or unauthorised movement on the property line.  How does it work? Remote CCTV monitoring works by attaching to a live feed of your CCTV system, existing or new, so that the signal and images can be passed to a team of operators. These operators are on hand 24/7 so that if there is a problem, you know that you're safe in the hands of a specialist team. The specialist team has been trained to mitigate the chances of somebody breaking into your home when the system is triggered; similarly they call the local authorities instantly so that the potential intruder has less time to flee the scene. This is especially important if an intruder is already inside your property because they have less time to steal your items and leave. Without CCTV in the office, you’ll be leaving yourself open to all kinds of damage and could lose a lot of equipment in the process One of the biggest questions that revolve around remote CCTV monitoring is the idea of operators watching the CCTV at all times. Luckily most remote CCTV monitoring systems will incorporate a motion detection system to accompany your CCTV. Motion detection offers the ability to alert a control room if there is an unauthorised entry to the property line. These motion detection systems are state-of-the-art and so, depending on the system that you choose, they can watch over your property from a number of angles. Once the motion detection system has been triggered and the alert has been sent to the control room, then and only then will the operators get involved. This means that until the motion detection system has been triggered, nobody will watch your live CCTV feed. After one of the systems has been triggered, one of the specialist operators will instantly jump into action. This means that they can take different measures to deter any potential intruder and make sure that they do everything in their power to stop any damage or theft from the premises. In addition to the motion detection system and CCTV, you are able to opt for a public address (PA) system too. This means that an operator is able to shout commands through the PA system and potentially scare away any intruder. The intruder will also be warned about the fact that local authorities have already been called to the location.  Remote monitoring versus traditional CCTV Motion detection offers the ability to alert a control room if there is an unauthorised entry to the property line Having a monitored CCTV system means that you're able to better protect yourself, your business, employees and even your loved ones. Whether you're at home or in the office, having someone looking over your shoulder protecting your every move is something that can be appreciated by everybody. The biggest problem with just having traditional CCTV, is that it is a reactive system. This means that rather than stopping crime, a CCTV system just records it. While the thought is that having a CCTV camera visible can deter some intruders, there's no real evidence to suggest that it stops anybody; anyone can simply cover their face and carry on breaking into your home, office or even your car. As mentioned, remote CCTV monitoring is going to tackle that problem and make sure that someone is on hand to protect you at all times.