Addressing People, Process and Technology to Stop Insider Threat

The recent arrest of National Security Agency contractor Harold Martin for the removal of classified material and theft of government property has put insider threat back in the news. While they make the headlines as individuals, cases like Martin and Edward Snowden are not isolated. In 2015, IBM’s CyberSecurity Intelligence Index revealed that 55 percent of attacks across all industries were carried out by someone who had insider access. Yet, a 2016 Gartner survey found that only 18% of organizations have a formal program in place to address the problem.

In an effort to deal with the horror-story scenario of “the call is coming from inside the house,” the government issued Executive Order 13587 and NISPOM Change 2 to increase protections against insider threat within government agencies and contracting companies. NISPOM Change 2 requires contractors to “establish and maintain an insider-threat program to detect, deter and mitigate insider threats.” The November 30 deadline to certify compliance with NISPOM Change 2 is fast approaching, and in order to do this, contractors and agencies alike must address the full spectrum of people, processes and technology.


Many kinds of people present potential insider threats. There are malicious insiders like Snowden who show signs of intent; but there are other more insidious or latent insiders like Martin who, even in hindsight, show no obvious signs of being a threat. Becoming familiar with the personality and behavioral hallmarks typical of insiders is the best way to proactively suss out potential threats, and the Federal Government makes that kind of information available on

Then you also have accidental insiders – the employee who unwittingly clicks on a phishing email, uploading malware to the network or downloads classified material but without any nefarious intent. These people may be considered the low-hanging fruit when it comes to curbing insider threats, and training employees is of paramount importance from the start. Educating them on basic cyberhygiene, including the spread of phishing schemes and the dangers surrounding mobile devices can go a long way toward tightening up the security posture of an organization.



Education lays a solid foundation for ensuring that threats from within an organization are averted, but this is just the first step in a process to create a comprehensive internal security strategy. Beyond education, it is also important to know what assets an organization has and which of those need to be protected; so in addition to knowing about the people who are working for them, organizations should maintain an inventory of data. By focusing on both users and the data as separate entities, organizations can correlate activity in either category to spot anomalies. It also aids in authentication and proper encryption processes.


Technology is key to managing both people and assets to contain internal security threats. Organizations should be implementing datacentric security that looks at the enterprise as whole, and not just individual endpoints such as networks, servers, databases or the cloud. Such level of visibility across the entire enterprise provides:

  • Comprehensive data discovery. Locating pockets of sensitive information previously hidden by scanning laptops, servers, databases, file shares, and the cloud ensures comprehensive discovery of sensitive data.
  • Classification for accuracy. Data classification accurately prioritizes the data to inform security strategy. Your organization’s data can be segmented by importance using a combination of context, content and user-based classification, enabling allocation of resources for the most critical information.
  • Anytime, anywhere data prot. Organizations should operate according to the rule of thumb that data should be protected in use, in motion or at rest.

Digital Guardian is one software solution that has been adopted by certain public sector agencies to address the people-process-technology vector – the critical recommended strategy for mitigating insider threat, outsider threat protection, data integrity, user activity monitoring, and user classification. The new federal website provides an in-depth look at the unique challenges of insider threat in government organizations and provides guidance using real examples of insider threat-prevention best practices. Additionally, Senior Director of Cyber Security Tim Bandos at Digital Guardian will present on advanced threat protection and its impact on Adversary Tradecraft Attrition at the Alamo Ace conference this December.  For more details on Digital Guardian, click here.

Related Articles