Organizations of all types and sizes are vulnerable to insider threats—from family-owned small businesses to Fortune 100 corporations, local and state governments, and public infrastructure to major federal departments and agencies.
Individuals entrusted with access to or knowledge of an organization represent potential risks,
and include current or former employees or any other person who has been granted access, understanding, or privilege. Trusted insiders commit intentional or unintentional disruptive or
harmful acts across all infrastructure sectors and in virtually every organizational setting. These
disruptions can cause significant damage (see examples below).
To combat the insider threat, organizations should consider a proactive and prevention-focused insider
threat mitigation program. This approach can help an organization define specific insider threats unique to their environment, detect and identify those threats, assess their risk, and manage that risk before
concerning behaviors manifest in an actual insider incident.
An effective program can protect critical assets, deter violence, counter unintentional incidents, prevent loss of revenue or intellectual property, avert sensitive data compromise, and prevent organizational reputation ruin, among many other potential harmful outcomes.
This Insider Threat Mitigation Guide (hereafter referred to as the Guide) is designed to assist
individuals, organizations, and communities in improving or establishing an insider threat mitigation
program. It offers a proven framework that can be tailored to any organization regardless of size. It
provides an orientation to the concept of insider threat, the many expressions those threats can take,
and offers an integrated approach necessary to mitigate the risk. The Guide shares best practices and
key points from across the infrastructure communities to assist organizations in overcoming common challenges and in establishing functional programs. It also offers case studies and statistical information to solidify the business case for establishing an insider threat mitigation program.
CISA recognizes that efforts to mitigate insider threats are complex. In addition, the nature of insider threats means that no two programs will be exactly alike. Flexibility and adaptability are important. The threat landscape continually evolves, technology shifts rapidly, organizations change in response to various pressures, and companies adapt to market forces. As a result, not every best practice or case study insight presented in this Guide will be directly applicable to every organization. Still, this Guide can provide value for a wide range of individuals and organizations, from the solo practitioner in a small company that requires some assistance up to and including a sizable agency that has a staff capable of operating a full complement of insider threat professionals. It offers valuable and achievable strategies, capabilities, and procedures to help organizations define their insider threats and then detect and identify, assess, and manage them in a comprehensive manner.
Ultimately, this Guide is designed to advance a shared, whole community approach to preparedness.
Working together across infrastructure communities helps keep the Nation safe from harm and resilient when disruptions occur.
Examples of Insider Threats
An engineer steals and sells trade secrets to a competitor
A maintenance technician cuts network server wires and starts a fire, sabotaging operations
An intern unknowingly installs malware
A customer service representative downloads client contact information and emails it to a personal account for use when starting their own business
A database administrator accesses client financial information and sells it on the dark web
An employee brings a weapon to the office and injures or kills several of their coworkers
