Mar 19, 2021

New Forrester Research says ‘Motivations & Indicators’ are Key to Mitigating Insider Threats


One thing is clear, everyone is waking up to the reality that mitigating insider threats can’t be done with rules or by monitoring a select few high-risk individuals. We are WAY past the days of Robert Hanssen and Edward Snowden. Every user is a threat… malicious, compromised, negligent or otherwise.

In fact, according to Forrester Research’s latest insider threat report, Best Practices: Mitigating Insider Threats, inadvertent misuse of data accounted for 39% of the data breaches that their survey respondents attributed to insiders. So how is an already overworked cybersecurity team, drowning in data and alerts, supposed to protect a distributed workforce and prevent data loss while finding malicious actors without invading trusted insider and third-party privacy? It’s not easy, but it can and must be done, according to Forrester.

The report offers three key take-aways for security pro’s and outlines best practices for designing, implementing and administering an insider threat program that works. The Key Takeaways Forrester calls out are:

  1. Insiders Are Responsible For Almost A Quarter Of Data Breaches – With trusted access to your most sensitive data, insiders represent a real threat to your business. Almost one-quarter of our survey respondents told us their firm experienced an insider incident — either inadvertent or malicious misuse of data.
  2. Insider Threats Are Not A Technology Problem – Insiders are people, not computers. Treating insiders as a technology problem ignores the human aspects of motivation and behavior. Detecting insiders requires a defined process and a focused team in addition to detection technologies.1
  3. The COVID-19 Pandemic Created Perfect Conditions For Insider Threats – Organizations globally moved quickly in response to the COVID-19 pandemic, sending workers home, reducing staff, and taking cost control actions. The lack of visibility caused by remote working plus the fear and uncertainty caused by these moves create ideal conditions for insider incidents.

By our assessment, the most interesting and important statement Forrester makes in this research is that ‘Insider Threats Are Not A Technology Problem’ and that insider motivations and behavior must be understood to accurately and proactively mitigate risks caused by insiders.

Security teams spend a lot of time, perhaps too much, attempting to learn the details of external threat actor motivations, intent, and capabilities, but they don’t develop this kind of intelligence for internal threats. To do the same for trusted employees and third-parties, SOC and IT teams need to learn and understand the typical motivations, intentions, and ‘tells’ of malicious insiders. Why? Because an insiders’ ability to blend in among us is what makes them so scary and such a challenge to identify. Malicious insiders make a choice to act – they leave evidence of their motivations and intentions – that can be monitored, analyzed and leveraged to prevent attacks.

