The group started by focusing on defining an insider threat. The group made the distinction that what they felt made a true insider threat was maliciousness rather than carelessness. While there are a lot of good people that do stupid things in organizations every day, the group felt that these individuals were overall less problematic than those that are actively malicious in their goals. About half of the members of the group had a formal insider threat program in place. They also agreed that key indicators of an effective insider threat program are maturity and company engagement. Everyone in the company needs to be actively engaged in order to help identify insider threats.
The group also felt that perhaps the focus should also be more on insider risk. Insider incidents tend to happen more near the end of an employee’s time with a company. Some statistics shared among the group cited that an employee’s last two weeks are the most critical and vulnerable time for them to emerge as a potential insider threat. The group also talked about the risks surrounding privileged users and which users among these are the most vulnerable as potential insider threats.