Insider Threat Management

What are Insider Threats? (SPG 601.40)

Insider threats pose a significant challenge in cybersecurity. These threats are difficult to address because insiders have legitimate access to systems and data. Traditional security measures such as firewalls and Intrusion Detection Systems (IDS) may not effectively counter insider threats. There are two main types of insider threats: malicious threats, where individuals intentionally cause harm, and unintentional threats, where breaches occur due to errors or carelessness.

Types of Insider Threats

  •  Malicious Insiders: Staff or contractors who intentionally steal or damage sensitive information for personal gain, revenge, or to assist competitors.
  •  Negligent Insiders: These are well-meaning staff who unintentionally cause security breaches, such as falling for phishing attacks or mishandling sensitive data.
  • Compromised Insiders: These are staff whose credentials have been stolen or compromised, often by external hackers, and used to gain access to the network.

Indicators of Insider Threats

  • Behavioral Changes: includes significant changes in work habits, negative attitudes, or indications of financial difficulties.
  •  Unusual Access Patterns: refers to accessing sensitive information during non-business hours or downloading large amounts of data.
  •  Unauthorized Access: involves accessing files, systems, or applications unrelated to the user’s role.
  • External Communication: communicating with unfamiliar external parties, especially using personal email or unauthorized applications.

Key Strategies for Insider Threat Management

Staff Education and Awareness

  • Regularly train the staff on cybersecurity best practices, including identifying phishing attempts, proper data handling, and understanding the consequences of insider threats.
  •  Create a culture of security awareness in which the staff feels responsible for protecting U-M assets.
  •  Establish clear security policies regarding data access, storage, and sharing.

Monitoring

  • U-M utilizes analytics to monitor users’ access to sensitive data, track abnormal behavior, and identify potential signs of insider threats. AI and machine learning algorithms can assist in identifying deviations from normal behavior and flagging potential risks. It’s essential to strike a balance between surveillance and privacy to prevent the erosion of trust with staff.

Privileged Access Management (PAM)

  • U-M implements the principle of least privilege, which means users should only have access to the systems and data required for their roles.
  • Audit and review access controls regularly to ensure that staff do not keep access to systems they no longer need.
  • U-M uses role-based access control and just-in-time access to limit exposure.

Data Loss Prevention (DLP) Tools

  • U-M implements Data Loss Prevention (DLP) tools to monitor and block unauthorized transfer of sensitive data through channels like email, USB devices, or cloud storage.
  •  We track and flag abnormal data transfer behaviors, such as large file downloads or external file sharing.
  •  Encrypt sensitive data to protect against accidental or malicious disclosure.

Regular Auditing and Monitoring

  • U-M conducts audits of data access logs to detect any irregular activities or access requests.
  • We use automated tools to generate alerts for abnormal activities such as data exfiltration, unusual login times, or large data downloads.
  • Ensure security teams have real-time visibility into access patterns across the network.

Anonymous Reporting

  • Staff have safe and anonymous channels to report suspicious activities or potential insider threats.
    • Any incidents involving Protected Health Information, Human Subject Research Information, Payment Card Information, or Cybersecurity threats should be reported to the security unit liaison and sent to security@umich.edu.
  • A clear process for investigating reports and ensuring staff feel comfortable raising concerns without fear of retaliation.

Incident Response and Mitigation

  • U-M uses Data Loss Prevention (DLP) tools to monitor and block unauthorized transfer of sensitive data through channels like email, USB devices, or cloud storage.
  • Track and flag abnormal data transfer behaviors, such as large file downloads or external file sharing.
  • Encrypt sensitive data to protect against accidental or malicious disclosure.

Challenges in Insider Threat Management

  • Privacy vs. Security: Balancing the need to monitor staff by respecting their privacy.
  • Staff Morale: Aggressive insider threat detection programs can create a culture of mistrust if not handled delicately.
  • Detecting Low-Level Threats: Some insiders can evade detection for extended periods, slowly siphoning information, which makes real-time detection difficult.
  • False Positives: Advanced detection tools can sometimes generate false positives, which can lead to wasted time and resources chasing non-existent threats.

Last Updated on May 10, 2025