Cybersecurity and Physical Security

CISA releases insider threat mitigation guide

The Cybersecurity and Infrastructure Agency (CISA) has released a new guide that is designed to assist individuals, organizations, and communities in improving or establishing an insider threat mitigation program.

America’s critical infrastructure assets, systems, and networks, regardless of size or function, are susceptible to disruption or harm by an insider, or someone with institutional knowledge and current or prior authorized access,” wrote Steve Harris, Acting Assistant Director for Infrastructure Security at CISA, in a letter included in the guide.

“Public power utilities should take a risk-based approach to mitigating potential impacts from an insider threat. These steps can be low cost and the return on investment far outweighs any impacts," said Sam Rozenberg, CPP and Director of Security and Resilience at the American Public Power Association.

“This status makes it possible for current or former employees, contractors, and other trusted insiders to cause significant damage. Insiders have compromised sensitive information, damaged organizational reputation, caused lost revenue, stolen intellectual property, reduced market share, and even harmed people,” Harris noted.

CISA said that the guide can provide value for a wide range of individuals and organizations, “from the solo practitioner in a small company that requires some assistance up to and including a sizable agency that has a staff capable of operating a full complement of insider threat professionals.”

The guide “offers valuable and achievable strategies, capabilities, and procedures to help organizations define their insider threats and then detect and identify, assess, and manage them in a comprehensive manner,” the agency said.

Program should span entire organization

CISA said that an insider threat mitigation program “spans the entire organization and should serve as a mechanism to help individuals, rather than an aggressive enforcement or a ‘gotcha’ program.”

Insider threat programs “should encourage and incentivize correct behavior with training and awareness, policy and procedure, and management practices that guide employees to act in the interest and benefit of the organization,” the guide said.

Insider threat programs should also deter, detect, and prevent people from wrongdoing. “When insiders do commit harmful acts—e.g., sabotage, theft, espionage, or physical harm—an insider threat program should mitigate the impact(s) of the insider act through appropriate management or enforcement actions. As such, it is important for organizations to balance focus, policy, processes, and messaging.”

CISA said that effective insider threat mitigation programs:

  • Tailor their insider threat program and risk appetite to the organization’s unique mission, culture, critical assets, and threat landscape;
  • Build a culture of reporting and prevention that establishes and reinforces a positive statement of an organization’s investment in the well-being of its people, as well as its overall resilience and operational effectiveness;
  • Employ multi-disciplinary capabilities that are enabled by technologies and/or dedicated personnel based on the organization’s type, size, culture, nature, business value, and risk tolerance to acts of malicious, negligent, or unintentional insiders;
  • Apply the framework of detect and identify, assess, and manage for the prevention of, protection against, and mitigation of insider threats;
  • Establish a protective and supportive culture, protect civil liberties, and maintain confidentiality; and
  • Assist organizations in providing a safe, non-threatening environment where individuals who might pose a threat are identified and helped before their actions can cause harm.

The guide is available here.

Additional insider threat mitigation resources from CISA are available here.