How to Create an Insider Incident Response Plan
It’s time for organizations to face reality: the sheer amount of cyber attacks essentially confirms that organizations will at some point be under attack by an insider – maliciously or not. It is therefore important that organizations have an intelligent incident response plan in order to mitigate the effects of a breach. In 2015, 62% of organizations that responded to AT&T’s Cyber Security Insights report admitted to being breached, but only 34% believed they had an effective incident response plan in place.
Chuck Brooks, vice president at Sutherland Global Services stated explained:
“Breaches can happen and likely will happen sooner than later.”
Instilling the vitality of a on Insider Incident Response Plan. The first step in creating this plan is to accept the reality and recognize that an incident response plan is a business imperative. Guy Bunker from Clearswift states that:
“The first failure a company makes is not having a plan”.
Implementing technology to detect and event prevent insider threats is a vital aspect of an Insider Incident Response Plan, but understanding how to use it is just as important. Begin by creating a policy and standards to help define what can and cannot happen within the network, and once there is an understanding as to where the organization’s data and critical assets are located, so access violations can be monitored. It is extremely important that response teams are empowered to act on the Response Plan when a breach infolds:
“Dose the incident response team have the necessary authority to confiscate or disconnect equipment and monitor suspicious activity if required? If legal, HR, security, audit and leadership are not involved in defining the plan, legal rights could be compromised during a cyber incident” says Kyle F. Kennedy, CISO at Cyber Security Network, instilling the importance of cohesion within the team for a successful response plan.
Organizations need to build the right team as part of their Insider Incident Response Plan. Within the team there needs to be a combination of leadership and expertise, so selecting people that are up to date on the changing digital threat landscape as well as thorough knowledge about the network is quintessential. Senior Cyber security office at the U.S Department of Treasury Steven Fox believes:
“An incident response plan relies on an influential leader that can both articulate the business need for IT investments and rally the associated technical expertise.”
It is vital for an organization to be ready and prepared to handle an insider threat in a timely and consistent way which includes understanding and knowing who needs to be involved, who has the authority, who should be coordinated with, whom to report to, what actions need to be taken, and what improvements to make to the network following the incident. The overall goal of an Insider Incident Response Plan is to Prevent, Detect and Respond.
For a Insider Incident Response Plan to be successful multi-level training and awareness needs to come first. All staff need to understand what an insider threat is and the types of activities and motivations that surround it. Similarly staff need to know the consequences of an incident both for the individual and the organization. Throughout training and refresher courses, staff should be explained what to report, to who and when regarding suspicious human or computer activity. At the same time it is important staff understands how their computer activity is monitored while connected to the network. There are of course different types of processes for different types of insider threats including fraud, theft of IP, espionage and sabotage and these should also be discussed during trainings.
Part of the Insider Incident Response Plan is how to handle the aftermath of the attack. It is really important that retraining is at the forefront of the response so that other members of staff understand how insider attacks happen, both accidentally and maliciously.
An incident like an insider attack can be detrimental to an organization so if such an attack takes place, it is important to learn from it in order to prevent further attacks from occurring. In some respects, and insider attack is the best opportunity to learn. Organizations can learn from their response to the attack, and in fact this response consideration should be an important part of an Insider Incident Response Plan. This is an opportunity to update policies, procedures and practices that may be out of date – though it is not recommended to wait until after an attack to update policies!
The CERT Software Engineering Institute has written this Top 10 List for winning the battle against insider threats:
- Learn from past incidents
- Focus on protecting the “crown jewels”
- Use your current technologies differently
- Mitigate threats from trusted business partners
- Recognize concerning behaviors as a potential indicator
- Educate employees regarding potential recruitment
- Play close attention at resignation/termination
- Address employee privacy issues with General Counsel
- Work together across the organization
- Create an insider threat program now!