Overseeing Insider Threats and Human Risk Management

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, defines insider threat, outlines categories of insider incidents, and types of insider threat actors. Further, it outlines the board’s responsibilities with specific actions they can perform to ensure executive management is adequately addressing insider threats.

Introduction

Human risks and insider threats represent a significant yet often underestimated cyber risk to organizations. As more work has shifted to remote locations following the COVID-19 pandemic, the prospect of insider compromise has increased. While external cyber-attacks often dominate headlines and governance discussions, insider cyber threats can be equally, if not more, damaging because insiders have access to and knowledge of internal systems and processes. Insider threat incidents are also not always malicious but can arise from negligence or intentional bypassing security policies where, for example, they cause too much friction in employees’ workflows.

Precisely because the delivery system for this threat involves leveraging the legitimate access of “trusted insiders” (employees, contractors, vendors, and others) to an organization’s network, systems, and data, it can be harder to detect than other threats in which the forensic indicators of compromise are more immediate and obvious. Further, as agentic AI systems are introduced into corporate workflows and systems, management and oversight of this risk area must evolve.

What Is an Insider Threat?

CISA defines an insider threat as the potential for an individual or individuals with authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.

As with other forms of unauthorized breaches, insider threat incidents involve unauthorized access to an organization’s assets or causing harm to an organization for the following purposes

• sabotage  
• fraud 
• intellectual property theft 
• espionage  
• loss of share value 
• loss of consumer confidence 

Types of Insider Threat Actors 

Insider attacks are generally carried out through the following types of actors 

• careless or negligent employees
• disgruntled or departing employees
• criminally “planted” insiders
• third-party partners (e.g., contractors with privileged access)
  
  

The Role of the Board in Insider Risk Mitigation

The board plays a crucial role in the organization’s management of insider risk, ensuring that oversight policies and procedures are in place to protect organizational assets against potential threats. These include understanding the risks, implementing robust controls, fostering a culture of cybersecurity awareness, continuous improvement of the program, and establishing reporting and communication protocols.

Understanding and Oversight

The board should have a clear understanding of the organization’s human risks and insider threat landscape, including the types of risks, vulnerabilities, and potential impacts.

• Include briefings at regular intervals from both internal and external subject matter experts on the evolving dynamics of the insider threat. These briefings can include tailored reports on insider risk-management activities, including annual assessments, specific security incidents, and control effectiveness based on metrics and evaluations.
• Review annual assessments prepared by operational security management, which address, among other items identified below, the organization’s specific risk and vulnerability profile vis-à-vis the insider threat. If necessary, these assessments should be supplemented with advisories at designated intervals, subject to shifting dynamics.
• Review that management has the necessary resources and expertise to effectively manage insider risks.

Implementing Controls

The committee responsible for cyber-risk oversight should ensure management addresses insider risks, such as ensuring the implementation of access controls, data protection measures, and other security controls to prevent and detect insider threats.

The annual assessment should detail the full range of security controls and data protection measures focused on preventing insider breaches, complete with metrics regarding relevant detections, events, incidents, and interventions.

Ensure strong policies and procedures are in place to guide and incentivize employee behavior to prevent insider threats.

• These policies should require employees to follow specific procedures with regard to handling sensitive data and assets.
• Policies should mandate reporting certain defined infractions of security policies.

Fostering a Security Culture

The board should promote a culture of cybersecurity vigilance and awareness and ensure management embodies and communicates this throughout the organization.

• The board should ensure that cybersecurity awareness training, such as online and in-person training, education, and communication programs, that help employees recognize and report suspicious activity is being performed while reviewing whether the training is effective in reducing poor security behaviors by employees.
• The board should evaluate whether there is sufficient collaboration and coordination between the CISO and chief human resources officer (CHRO) and other C-suite executives in conducting training and promoting cybersecurity awareness across the organization.
• All board members should practice strong personal security to further promote a strong security culture, reduce their own risk profile, and set the proper “tone at the top.”

Continuous Improvement

The board should review and oversee whether the organization’s human and insider risk-management program keeps pace with evolving threats and vulnerabilities.

Boards should monitor whether management is effectively applying lessons learned from past insider threat incidents, and the program demonstrates improvement over time.

Questions the Board Can Ask About Insider Threats and Human Risk

• What is our probable loss exposure related to the insider threat scenarios?
• What are the most effective controls, and which ones should be prioritized?
• Boards can follow up with more detailed questions regarding the organization’s practices to defend against insider threats:
  • Does the organization have a documented insider threat mitigation plan with clearly designated oversight, management, and reporting responsibilities?
  • Who are the appropriate stakeholders to involve in the insider threat mitigation plan within the organization—information security, physical security, general counsel, human resources, corporate investigations, privacy, etc.?
• How does the organization measure the effectiveness of its insider threat mitigation plan? Does it periodically test the plan with internal assets and external parties to validate its effectiveness?
  • Does its insider threat mitigation plan maintain procedures to properly document incidents or insider threat activity?
  • Does it maintain metrics to identify and analyze patterns of insider threat activity to assist with reducing vulnerability?
• Does the organization have adequate programs in place to sensitize employees to insider risks and train them to detect, report, and mitigate potential incidents?
  • Do we have a security awareness program in place? Are we tracking metrics of this program to identify progress or problem areas?
  • Is there a disciplinary or continuing education framework for employees failing tests? Does it show improvement in employee behavior?

Return: Toolkit For Action