Welcome
Insider Threat Assessment
As Insider Threat Risk Grows, Is Your Organization Prepared?
Nearly nine in 10 executives are planning to expand their firms’ insider threat prevention capabilities in the next 48 months, as shifts in how and where users and employees access and store data increases threat risk.
Take the 5-minute assessment to:
- See how your insider threat program compares to your peers
- Get an actionable plan to advance your program in maturity
Select your industry:
Questions
Questions
Questions
Questions
Questions
Questions
Results Overview
Your score of means you are a beginnerintermediate advanced with your insider threat practice, like 36%44% 20% of your peers in our survey of 300 global decision-makers.
Your maturity result:
Your personalized action plan
Beginner
Your score means you are most likely just beginning to set up insider threat function at your organization. Now is the time to prioritize insider threat protection for your organization: 87% of US business decision-makers plan to expand their insider threat capabilities in the next one to two years. Here are some tactical recommendations on how to plan and get the most out of your insider threat development activities and investments:
Culture: Insider threat is not solely the responsibility of the security and risk team; it concerns the entire organization.
How to get started:
-
Get buy-in from the top down by demonstrating the importance of insider threat protection. Our study found that half of all US decision-makers’ companies had more than 10 insider threat episodes in the past two years, and half had episodes with major impact on brand or business processes or had major financial losses due to lawsuits and fines. Decision-makers at companies with the same maturity level as yours named compliance with regulations and brand protection as two main reasons for developing insider threat capabilities.
-
Position your insider threat team outside of your existing cybersecurity organization. Many firms align insider threat programs to HR, legal, or their CSO (chief security officer).
Personnel: Build a dedicated team responsible for insider threat monitoring.
How to get started:
-
Develop a group of stakeholders from technical (IT, security, risk) and business (legal, HR, business heads) groups to provide input and play a part in the program. Functions like HR, legal, privacy, and security should be part of your insider threat program. Functions like internal audit, risk, privacy, and technology should be part of your support organization. Line-of-business owners provide business context for employee behavior.
-
Train insider threat staff to recognize insider threat activity like reconnaissance, unauthorized access, file movement/obfuscation, and data exfiltration. Specialized training and certification can be a valuable investment for your team. Our study showed that insider threat teams’ expertise/training is the top factor insider threat beginners like you would like to improve.
-
Conduct regular trainings for personnel management and business owners on insider threat and acceptable use policies.
Data: Set up a scalable data risk framework that will easily adapt to your company’s growth.
How to get started:
-
Classify data according to the types and levels of associated risks, considering for where data is being accessed.
-
Include a wide array of insider threat indicators into your data risk framework. On average, low-maturity companies use fewer types of insider threat indicators than more mature companies (3 vs. 5). Here are the top 5 indicators used by high-maturity companies that are rarely used by beginners:
- Transferring data to personal email addresses or to emails of organizations our company doesn’t work with.
- Behavioral changes communicated to security/insider threat team by HR/line managers.
- Attempts to obfuscate sensitive data by changing file types, file extensions, or encrypting files, etc.
- Unusual creation of new user or admin accounts.
- Unusual or abnormal network or system reconnaissance activities.
Policy: Set up fair and transparent insider threat policies that won’t create operational or HR barriers for future growth.
How to get started:
- You can borrow from existing policies regarding acceptable use of technology and employee theft policies for the basis of your insider threat policies. That way, there is existing precedent for the policies, and workers should be familiar with existing rules.
- Regularly review policies and procedures to guarantee consistency and fairness and make sure they don’t impede employee productivity or violate their privacy. Setting up processes in a way that doesn’t violate employee privacy regulations and doesn’t impede their productivity are among the top 3 challenges low-maturity companies experience when developing their insider threat capabilities.
Process: Build clear processes for determining how investigations are conducted and what actions will be taken if insider threats are detected.
How to get started:
- Make sure you can recognize the difference between types of insider threat — malicious, accidental, and compromised account. Each can be damaging and can have similar harmful results but must be handled
differently.
- Know how you will handle malicious insiders and develop consistent processes to deal with these incidents.
- Compromised accounts are typically external threat actors acting as if they are an insider, using the insider’s credentials, and should be handled by the security team as such. Only one-third of beginners consider the risk from compromised accounts in their insider threat protocols, compared to more than half of medium- and high-maturity companies.
- Accidental insiders must be trained not to make the same mistake again or risk consequence as defined by policies. Insider threat beginners like you consider employee training on the risks and consequences on negligence/misuse of sensitive data the most needed improvement as it relates to their insider threat function
- Treat every investigation as if it could end up in court.
- You can borrow from existing processes regarding acceptable use of technology and employee theft policies for your insider threat processes.
Technology: Invest in solutions to help detect insider threats that can be easily upgraded as your company grows.
How to get started:
- Invest in data loss prevention (DLP), cloud access security broker (CASB), security information and event management (SIEM), and email monitoring as the basis of your threat detection technologies.
- Only 24% of insider threat beginners consider their current insider threat technology very effective. Make sure that your solutions complement and enhance your existing policies and processes and do not interfere with worker privacy or productivity. Work with technology partners to ensure that your solutions are effective, and take advantage of training from partners to ensure the insider threat team and partners know how to best utilize your insider threat solutions.
Intermediate
Your score means you are in the process of building an insider threat function at your organization. You are not a novice, but there are still several steps to improve your protection against insider threats. Now is the time to prioritize insider threat protection for your organization: 87% of US decision-makers plan to expand their insider threat capabilities in the next one to two years. Here are some tactical recommendations on how to plan and execute your improvement strategy.
Culture: Continue to develop a strong insider threat culture at your organization.
How to get started:
-
Establish workflows between cross-departmental stakeholders to communicate, collaborate, and orchestrate insider investigations. Only a third of your intermediate peers collaborate with legal, HR, finance, or operations departments on insider threat initiatives.
-
Incorporate insider threat as part of governance cadence to build collaboration among stakeholders through regular meetings. Lack of collaboration between the stakeholders (i.e., IT, HR, legal) is the top organizational challenge your intermediate peers experience with insider threat initiatives.
-
Position your insider threat team outside of your existing cybersecurity organization. Many firms align insider threat programs to HR, legal, or their CSO (chief security officer).
Personnel: Invest in insider threat expertise to hone your practice.
How to get started:
-
The insider threat analyst role is a mix of technical, investigative, and relationship management skills. Candidates often have diverse backgrounds, including military, law enforcement, or intelligence professionals, so you may need to think outside the box to find the right skill set for the job. Seventy percent of insider threat analysts at Fortune 500 companies were external hires.
-
Make sure the insider threat analyst role is visible to the organization to raise the profile of the role.
-
Your insider threat team should have specialized training and goals directly correlated to insider threat; elements from security, risk, and legal are all appropriate to consider in this structure.
-
Conduct regular trainings for personnel management and business owners on insider threat and acceptable use policies.
Data and Policy: Tailor data frameworks and user policies to how employees work and what systems they use.
How to get started:
-
Examine what systems employees utilize on a regular basis to understand if there are high-risk entry and exit points. Ensure data frameworks account for where data is accessed and establish detailed policies concerning acceptable and suspicious behaviors related to system access and data use.
-
Gain an understanding of why employees circumnavigate policies and ensure that your policies do not have a detrimental impact to the employee experience while still monitoring for suspicious activity.
Process: Build out your training processes to engender employee trust.
How to get started:
- Make sure employee training is a well-defined and repeatable process. Part of training should be testing to make sure users understand the risks and consequences of noncompliance.
- All insider threat investigation processes should be implemented as rank-agnostic, with executives and workers subject to the same rules and processes.
Technology: Select and implement technology to enhance your policies and processes. A trusted partner can help with best practices and customization.
How to get started:
- Utilize insider threat-specific monitoring tools like UBA, UAM, and file activity monitoring to detect unusual or suspicious insider behaviors that prioritize alerts based on risk (user, data, device, and activity).
- Employ monitoring tools for all environments that store or work with sensitive data, wherever it resides (on-premises, data center, SaaS, cloud). Thirty percent of your peers look for technology that makes it easy to understand when an alert requires further investigation, which is based on the understanding of how different employees work and what information/system access they may need for their work.
- Use automation and case management to gather needed information for investigations and to kick off workflows between stakeholders.
- Make sure that your solutions complement and enhance your existing policies and processes. Work with technology partners to ensure that your solutions are effective, and take advantage of training from partners to ensure the insider threat team and partners know how to best utilize your insider threat solutions.
Advanced
Congratulations, your score means that your insider threat practice is thriving today. This is no time to rest on your laurels, however: 93% of your advanced peers are still planning to expand their insider threat capabilities in the next one or two years. To continue to grow your practice effectively and improve your business results, follow these key recommendations:
Culture: Build a culture of transparency to strengthen employee buy-in.
How to get started:
-
Stakeholder buy-in is critical but often not a challenge for advanced insider threat organizations like yours. Just as critical, however, is getting employee buy-in as well. Turn your workers into program advocates by communicating about the program transparently. Employees should understand how the program works through education and training. Employees who feel like they are on the team will be more willing to follow policies and help, rather than hinder, insider threat cases.
-
Position your insider threat team outside of your existing cybersecurity organization. Many firms align insider threat programs to HR, legal, or their CSO (chief security officer).
Personnel: Invest in insider threat expertise to hone your practice.
How to get started:
-
Enhance your insider threat team with experts with backgrounds in investigation, counterintelligence, or cybersecurity with a mandate to look for and investigate insider threats.
-
Collaborate with legal on an ongoing basis to refine policies, procedures, and desired outcomes from investigations.
Data: Tailor data frameworks and user policies to how employees work and what systems they use.
How to get started:
-
Examine what systems employees utilize on a regular basis to understand if there are high-risk entry and exit points. Ensure data frameworks account for where data is accessed, and establish detailed policies concerning acceptable and suspicious behaviors related to system access and data use. Advanced insider threat companies deal with a lot of different types of sensitive data, with the vast majority (86%) having access to customer PII data and half of them considering it to be at high risk.
-
Gain an understanding of why employees circumnavigate policies, and ensure that your policies do not have a detrimental impact to the employee experience while still monitoring for suspicious activity.
Policy and process: Maintain fair and transparent insider threat policies and processes.
How to get started:
- Ensure user privacy is protected at all times, obfuscating user identities until opening an investigation as determined by process. About half of advanced companies still use insider threat monitoring data for other purposes (e.g., monitoring employee productivity), which can undermine employee trust and create other business challenges.
- Keep investigations confidential between the insider threat team and stakeholders until policy determines they should become known.
Technology: Select and implement technology to enhance your policies and processes. A trusted partner can help with best practices and customization.
How to get started:
- Utilize insider threat-specific monitoring tools like UBA, UAM, and file activity monitoring to detect unusual or suspicious insider behaviors that prioritize alerts based on risk (user, data, device, and activity).
- Employ monitoring tools for all environments that store or work with sensitive data, wherever it resides (on-premises, data center, SaaS, cloud). Thirty percent of your peers look for technology that makes it easy to understand when an alert requires further investigation, which is based on the understanding of how different employees work and what information/system access they may need for their work.
- Use automation and case management to gather needed information for investigations and to kick off workflows between stakeholders.
- Make sure that your solutions complement and enhance your existing policies and processes. Work with technology partners to ensure that your solutions are effective, and take advantage of training from partners to ensure the insider threat team and partners know how to best utilize your insider threat solutions.
View your detailed results
By submitting this form, you agree to Forcepoint's Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time at Manage Subscriptions.
Terms of Use Privacy Statement Manage SubscriptionsNext Steps
Forcepoint helps organizations take a Zero Trust approach to security with risk-adaptive data protection that combines visibility, analytics, and control into a single solution.
Download The Complete Guide to Insider Risk to learn effective strategies and tactics for dealing with insider risk and the key elements of an Insider Risk program.
Forcepoint helps organizations take their security to the next level with risk-adaptive data protection that combines visibility, analytics, and control into a single solution. Connect with a Forcepoint expert today to learn how to detect and mitigate insider threats ahead of loss.
Download the eBook: Risk-Adaptive Data Protection: The Behavior-based Approach to learn more about how with Forcepoint’s Data Loss Prevention (DLP) provides the intelligence to deliver true, dynamic, automated enforcement.
Forcepoint helps organizations take their security to the next level with risk-adaptive data protection that combines visibility, analytics, and control into a single solution. Connect with a Forcepoint expert today to get started setting up your insider threat and data protection program.
Download the eBook: Risk-Adaptive Data Protection: The Behavior-based Approach to learn more about how with Forcepoint’s Data Loss Prevention (DLP) provides the intelligence to deliver true, dynamic, automated enforcement.
Methodology
Methodology, Disclaimers and Disclosures
Methodology
Methodology
In this study, Forrester conducted an online survey of 300 decision-makers at firms in the US, Canada, the UK, France, Germany, China, India, and Australia with $10B (USD) or greater annual revenue to evaluate the current state and challenges of insider threat function in their organizations. Survey participants included decision-makers responsible for cybersecurity strategy and maintenance at their organizations. The study was completed in November 2020.
Disclaimer
Although great care has been taken to ensure the accuracy and completeness of this assessment, Forcepoint and Forrester are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein.