1. Don’t Panic. Immediately isolate the compromised system(s) and preserve evidence.
When an insider breach occurs or is suspected, it is imperative that you contain the damage quickly to protect customer data and preserve evidence in case of a forensic investigation. Subsequently, work towards identifying the root cause for the incident and execute your incident response plan if you have one. If required, call on third-party forensic and technical experts to help determine the source of the breach and the extent of the damage.
2. Deactivate accounts of malicious insider and reset credentials.
Make sure you deactivate all accounts associated with the malicious insider and reset all the credentials. Also ensure you have enforced separation of duties effectively by allowing least privilege access.
3. Inform relevant persons and follow legal requirements:
Inform employees, stakeholders, etc. about the breach if necessary after the identity of the malicious insider is confirmed. Also, if any sensitive information such as cardholder data is confirmed or suspected to be stolen, contact your local law enforcement.
Insider breach may result in many other incidents such as PII breach, IP breach, introduction of malware, card holder data compromise, etc. If you are concerned about such incidents being caused by an insider, refer to the specific breach section above.