Defining the insider threat

An insider threat is an individual with access to an organization’s systems and data, who, through either malicious or inadvertent actions, can cause irreparable damage to the organization itself, other industries, government and even citizens. Malicious activities can include theft, espionage, sabotage and insider trading. Non-malicious activities can include falling victim to phishing, malware and ransomware attacks from malicious outsiders.

What is your organization doing to protect against insider threats?

Is your organization just doing enough to meet baseline regulatory requirements until there is an insider threat incident? If you’ve already had an incident, are you doing enough to make sure it does not happen again and repair the reputational damage? Or, like most organizations, are you always trying to catch up?

Best practices in defining insider threat programs

Federal government guidance

Given the lack of industry-specific guidance for developing insider threat programs, CGI recommends that all organizations look to existing federal guidelines and requirements to define an insider threat program, including:

  • Executive Order 13575 (October 2011) requiring federal government executive agencies to establish insider threat programs
  • DoD 5220.22-M National Industrial Security Operating Manual (NISPOM) Conforming Change 2 (May 2016) requiring cleared contractors to establish insider threat programs
  • The NISPOM Industrial Security Letter (ISL) 2016-2 (2016) providing guidance to cleared contractors on insider threat program implementation
  • The NIST 800-171 guidance on “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” (August 2015) covering requirements for unclassified computer systems and networks and requiring insider threat program training for organizations. This requirement is effective December 31, 2017.