Using the lessons learned from these four scenarios—combined with our experience in investigating countless other data breaches over the years—we formulated thirteen insider threat countermeasures. We clustered these countermeasures into three groupings: detection and validation, response and investigation, and prevention and mitigation. Read the entire "Insider Threat: Protecting the Keys to the Kingdom" report for full details.

1. Report suspicious insider activity—train and sensitize employees to recognize the signs of suspicious behavior, and report it.
2. Log and monitor user accounts—use a Security Incident and Event Monitoring (SIEM) solution, or a User Behavior Analytics (UBA) solution to monitor, detect, and log suspicious account activities.
3. Inventory and monitor sensitive data—track your assets and know where sensitive data is. Monitor systems for data loss.

1. Activate the insider threat playbook—notify key stakeholders, determine evidence sources, and identify witnesses and subjects.
2. Assemble the incident response team—work closely with HR, legal counsel, and a digital forensics firm.
3. Collect and preserve evidence—leverage established evidence handling tools, procedures, and documentation.
4. Contain and eradicate the threat—conduct activities such as blocking traffic, rebuilding systems, disabling accounts, and removing malware.
5. Conduct personnel interviews—interview witnesses and suspects to determine the nature of suspicious activity; involve HR and legal counsel.

1. Start a personnel security program—vet employees through background checks and screening interviews; enforce least privilege, duty separation, and duty rotation for sensitive jobs.
2. Deter insider threat activities—implement effective security policies and procedures. Provide ongoing training to remind employees of these.
3. Maintain physical security—limit access to physical facilities and sensitive areas. Use security cameras, employee badges, and audit trails.
4. Harden the digital environment—restrict access to sensitive systems. Encrypt network traffic and digital media. Remove unneeded apps and patch necessary apps.
5. Prepare for organization changes—brace for negative impact, maintain a strict "need-to-know", and establish termination protocols.

Using these countermeasures can help to keep your organization out of the headlines, and save you from sending out data breach notifications to customers, employees, and regulators. In the unfortunate event you do get that call, remember the Verizon Threat Research Advisory Center (VTRAC) Investigative Response Team is here to help you respond to and investigate these situations.

John Grim, the primary author of the Verizon Data Breach Digest, has over fifteen (15) years of experience in conducting digital forensic investigations within the government and civilian security sectors. Currently, John serves as a part of the Verizon Threat Research Advisory Center (VTRAC) and leads a team of highly skilled technical digital investigators. In this capacity, John responds to cybersecurity incidents, conducts on-site data breach containment and eradication activities, performs digital forensic examinations, leads pro-active data breach response preparedness training and tabletop exercises, and conducts e-discovery and litigation support for customers around the world.