search menu icon-carat-right cmu-wordmark

Common Sense Guide to Mitigating Insider Threats - Best Practice 1 (of 19)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Hello, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Program, with the first of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. In the coming weeks, my colleagues and I in the CERT Insider Threat Center will, in a series of blog posts, introduce this edition of the guide by presenting each recommended practice in a blog post.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. This new edition of the guide is based on our significantly expanded database of more than 700 insider threat cases and continued research and analysis; it covers new technologies and new threats. The guide describes 19 best practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The first of the 19 practices follows.

Practice 1: Consider threats from insiders and business partners in enterprise-wide risk assessments.

Risk is inherently part of doing business every day for any organization. Some risks organizations face include developing a new product, opening a new business location, or merging with another organization. Organizations may not immediately think about the risks posed by trusted insiders, including employees, contractors, subcontractors, suppliers, or other trusted business partners who are granted access to systems, services, or information. It is important that organizations include these threats as part of their enterprise-wide risk assessment.

Organizations need to consider what threats are posed by insiders and what can be done to mitigate or reduce the risk. It is important for all members of the organization to understand the threats the organization faces and what can be done to reduce the likelihood that an insider can cause harm. Otherwise, policies and procedures may be released, intending to mitigate the threat, but employees may not understand the purpose of the policies and may bypass them altogether.

Trusted business partners need to be held to the same standards as the organization's employees. For example, trusted business partners need to conduct background checks that meet or exceed the organization's background investigations conducted on its own employees. These requirements and others need to be addressed in formal agreements with the trusted business partner.

An organization that is merging with or acquiring another organization needs to conduct a risk assessment before merging or connecting information systems. The assessment should identify potential weaknesses in systems and allow for mitigating controls to be introduced. During the merger process, an organization should perform background investigations on all employees to be acquired at a level commensurate with its own policies.

These are just some of the things an organization should consider as part of an enterprise-wide risk assessment. I encourage you to read more about this best practice as well as the 18 other practices to mitigate insider threats within your organization in the fourth edition of the Common Sense Guide to Mitigating Insider Threats. It provides a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 2, Clearly document and consistently enforce policies and controls, or subscribe to a feed of CERT Program blogs and don't miss a thing.

If you have questions or want to share experiences you've had with insider threats, send email to

About the Author