CERT National Insider Threat Center Releases Sixth Edition of Common Sense Guide to Mitigating Insider Threats
April 10, 2019—The CERT National Insider Threat Center, part of the SEI's CERT Division, has released the sixth edition of its Common Sense Guide to Mitigating Insider Threats. This edition reports the center's new research on unintentional insider threats and workplace violence, alongside fresh insights on the primary categories of insider threat: intellectual property theft, information technology sabotage, fraud, and espionage. The report also expands its organizational practices for mitigating insider threats to include positive workforce incentives, and it maps these practices to recent standards and regulations.
Written for decision makers across an organization, the report is based on the CERT Division's continued research and analysis of more than 1,500 insider threat incidents across public and private industries.
A major feature of the Common Sense Guide's latest edition is a new insider threat best practice about providing positive incentives in the workforce. Michael Theis, lead co-author of the report and chief engineer of Strategic Engagements for the CERT National Insider Threat Center, says that positive workplace incentives can counterbalance negative experiences that might motivate insiders to harm the organization. "This practice is a game changer because it’s proactive," says Theis. "Without having to know about potential threats or vulnerabilities, organizations may mitigate those problems." The new practice is based on 2016 research by the center on positive incentives and insider threats. Theis discusses the new practice and other features of the Common Sense Guide’s sixth edition in a new blog post.
The latest Common Sense Guide also provides new mappings of practices to four standards: the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Center for Internet Security (CIS) Controls Version 7, National Insider Threat Task Force (NITTF) Insider Threat Program Maturity Framework, and the European Union's recent General Data Protection Regulation (EU-GDPR).
Since the Common Sense Guide's fifth edition, released in 2016, the center has updated its definition of insider threat to include workplace violence. This change was inspired by the center’s research on the risk factors and warning behaviors of workplace violence. That research led the center to start adding such cases to its corpus of insider threat incidents. The Common Sense Guide now explicitly integrates the issue of workplace violence into its practices for mitigating insider threats. The practices also address unintentional insider threats more prominently, following research by the center on the impact of events such as phishing and accidental data loss.
The report outlines current trends in the ways organizations are responding to the insider threat landscape. "Many organizations feel insider threats are a greater risk to critical assets than external threats," says Randy Trzeciak, director of the CERT National Insider Threat Center. He notes that many organizational insider threat programs have moved beyond their initial capability and are looking to mature their processes. Another trend noted by organizational insider threat programs is employee monitoring via technical solutions to identify technical and behavioral anomalies.
Such monitoring of employees is subject to the EU-GDPR. The directive protecting EU citizens' personal data processed by private organizations went into effect in May 2018. The Common Sense Guide has long recommended that employee monitoring be performed in compliance with legal and regulatory requirements. The sixth edition maps insider threat monitoring activities to EU-GDPR principles.
The Common Sense Guide to Mitigating Insider Threats, Sixth Edition can be downloaded from the SEI's Digital Library.