Skip to content

Illustration by Security Management

CISA Releases New Guidance on Insider Threat Prevention, Mitigation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released new guidance this week for critical infrastructure owners and operators on preventing and detecting insider threats.

“Allowing America’s critical infrastructure to be compromised by an insider could have a debilitating effect on the Nation’s economic security, public health, or public safety,” wrote CISA Acting Assistant Director for Infrastructure Security Steve Harris in the guidance's introduction. “That is why it is important to understand this complicated threat, its many dimensions, and the concepts and practices needed to develop an effective insider threat program. To mitigate physical and cybersecurity threats, it is important to understand the risks posed by insiders and then build a comprehensive insider threat mitigation program that accounts for operational, legal, and regulatory considerations.”

The incidents of insider threats are increasing; global insider data breaches were up 47 percent and their associated costs were up 31 percent in 2020, according to CISA’s Insider Threat Mitigation Guide. Assessments also found that 2 million people each year are directly impacted by the physical aspects of workplace violence, which annually costs organizations $130 billion.

“The measures you incorporate into your practices today could pay for themselves many times over by preventing an insider threat or mitigating the impacts of a successful attack in the future,” Harris wrote.

The CISA guide is broken up into sections to provide readers with the process to establish or enhance an insider threat program at their organization. It also includes information on how to build and use effective threat management teams, implement a framework for insider threat mitigation programs, and more.

For instance, the guidance recommends taking a “proactive and prevention-focused” approach to creating insider threat mitigation programs. Doing so will help organizations define the threats specific to their environment, assess their risk, and create policies and procedures to detect and identify the threat before it turns into a full-blown incident.

Along with information on how to step up an insider threat mitigation program and obtain executive support, the guide also includes a list of tools that can help improve an organization’s ability to protect its networks, systems, facilities, and members from insider threats. These include database monitoring, whitelisting, privileged access management technologies, access control systems, network flow analysis, security information and event management systems, and data loss prevention.

“An organization should notify its employees that it is monitoring networks and systems activity by having associates sign UAM and UBA acknowledgement and Internet user policy agreements and regularly reminding individuals through network banners that the systems are active,” according to the guide. “Organizations should employ multiple technological tools, especially as the organization grows and matures. An organization should ensure it can configure the tools to look for and alert to specific behaviors related to what it values.”

Security Management has published a variety of pieces about insider threats, including the overall risk of insider threats, how they can impact the food and agriculture sector, and how to design an early warning system to detect insider threats in a remote workforce.

The guidance is the first major release for the agency after U.S. President Donald Trump fired Director Chris Krebs on Tuesday for standing by the integrity of the U.S. election system and pushing back against misinformation.

The decision to fire Krebs “spurred prompt and widespread criticism from cybersecurity community leaders, who credit Krebs for repairing the fractured relationship between the U.S. government and the private sector, as well as unifying election security intelligence and educating disparate voting system managers on cyber risks,” Security Management wrote in its coverage.

CISA Executive Director Brandon Wales is now leading the agency, taking the helm after Krebs’ Deputy Director Matthew Travis resigned under White House pressure.

“A change in leadership is not a change in mission, and it is essential that we do not lose focus on the important work we collectively undertake on behalf of the American people,” said CISA Chief of Staff Emily Early, according to Politico.