The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has released a resource to help critical infrastructure operators address the risk of threats from inside their organizations.

CISA’s Assembling a Multi-Disciplinary Insider Threat Management Team infographic, released Jan. 28, is aimed at critical infrastructure entities and state, local, tribal and territorial governments, according to a media release. The agency produced the document to provide “actionable strategies [and] guidance to proactively prevent, detect and mitigate insider threats” so entities can “stay ahead of evolving organizational vulnerabilities.”

Insiders — defined by CISA as those “with institutional knowledge and current or prior authorized access” — can do serious damage to an organization’s security by revealing sensitive information to rivals or malicious actors, damaging organizational reputation and even causing harm to employees and other assets. The agency reminded readers that insider threats don’t necessarily involve active malice, because “negligence or simple human errors can open the door to vulnerabilities that adversaries can exploit.”

CISA’s guidance urged organizations to take insider risks seriously and build a threat management team that can handle incidents involving physical security or cybersecurity, personnel challenges and partnerships with the community. Effective insider threat teams should draw from staff members with responsibility for security, including human resources, general counsel, operations and administration; members of leadership like the chief information officer; and external resources such as law enforcement and medical and mental health counselors.

The agency suggested adopting a framework of “plan, organize, execute and maintain” to guide the insider threat team.

Planning means defining the structure of the team and its scope by identifying priorities based on the organization’s risk tolerance, the assets that need protecting and how the team will be organized and fit into the broader entity, among other considerations.

Organizing entails guiding employee awareness of insider risks, encouraging a security and reporting culture, and providing support to departments that identify possible insider threat activity. CISA reminded readers that this aspect of the job “requires discretion” because the team will have to interact with sensitive and personal identifiable information, which should be kept secured and “handled with the highest degree of confidentiality.”

Execution involves the day-to-day work of gathering and managing information and leading the detection and assessment of potential threats. Steps in this work may include mandatory threat mitigation training for team members, establishing a central information hub and working with the organization’s legal counsel to ensure compliance with state, local and federal laws.

Finally, maintaining the team refers to the “ongoing and dynamic process” of adapting the team’s approach to the developing threat landscape. CISA advised readers to hold regular training and exercises to build the team’s capabilities, solicit employee feedback to address new challenges and ensure that insider threat mitigation is incorporated into any new business line or reorganization.

“People are the first and best line of defense against malicious insider threats, and organizations should act now to safeguard their people and assets,” said Steve Casapulla, CISA’s executive assistant director for infrastructure security. “We encourage leadership to draw expertise from across departments for a holistic defense while fostering a culture of trust where employees feel empowered to report concerns and stop threats before they escalate.”