Twitter Facebook Google RSS
Homeland Security News 

Funding Not Following Concerns About Insider Threats 


By Stew Magnuson 

Spies, disgruntled workers and intellectual property thieves have always been a problem in both government and private sector organizations.

The Edward Snowden scandal and Julian Assange’s WikiLeaks organization have brought to the fore the problem of “insider threats” as never before.

Congressional hearings, conferences and newspaper articles have all raised awareness, but a recent survey found that despite the hand-wringing, organizations are not putting resources toward the problem.

“People are now trying to get a better understanding of the insider threat problem, but one thing that is not happening yet, and it’s the case for government and commercial [sectors] alike, is that the budgets seem to be lagging,” said Michael Crouse, director of insider threat strategies at Raytheon Co. 

Raytheon commissioned the survey to gain a better understanding about industry’s awareness of the problem, he said. The survey report, “Privileged User Abuse and the Insider Threat,” was derived from the polling of 693 info-tech managers and was conducted by the Ponemon Institute, a research and consultancy firm.

Respondents said they were aware of the problem and that they want to be more proactive when it comes to insider threats, but the survey indicated that this is mostly talk, Crouse said.

“The budgets haven’t caught up to that awareness and thinking yet,” he said.

“People are really fighting for every dollar. And when they are fighting for every dollar, they really have to fight for new requirements, and they have to … be able to show the return on investment,” he added.

It is easier to show that return on investment when it comes to thwarting external threats such as foreign hackers, he said.

The high profile WikiLeaks and Snowden cases are prompting some companies and agencies to put together insider threat programs, he said.

Insider threats generally come in three categories. Data gathered by the Carnegie Mellon computer emergency response team show that the most common is information technology sabotage at 41 percent of incidents. That is followed by fraud for personal financial gain at 26 percent and theft of intellectual property at 20 percent. The remaining 14 percent are miscellaneous.

One example of a miscellaneous threat would be the case of an info-tech employee who was paying someone overseas to do his work for him.

“That is an insider threat. Giving someone access to a company’s information,” he said.

It is difficult to quantify how prevalent insider incidents are because exposing them can have an impact on an organization’s morale and reputation, and companies may lose business and profits, he said.

The recent case of a Microsoft employee who was caught allegedly selling information to a competitor is rare because it actually made it into the press, he said.

Almost 70 percent of respondents said they do not have enough contextual information from the tools they are using today, he said. And 56 percent said there were too many false positives from the ones that they do have.

Traditional informational assurance tools don’t provide the intent of what the individual is trying to do, Crouse said. An employee might be moving data to a non-corporate USB thumb drive maliciously or simply by mistake.

Network sensors can see that someone pulled down a file of proprietary information. Is he renaming it so it can be attached to a Gmail account, or cutting and pasting the information so it can be sent via instant messaging to someone outside the organization?

Knowing these answers can indicate the behavior and intent, not just the act. “There are tools today that can do that, but you have to be willing to invest and deploy such products,” he said.

The report recommends a nine-step program to tackle insider threat programs.

One is increased training, which goes both ways, he said. It involves teaching investigators to identify bad behavior but also educating the workforce.

There are techniques that a spy could use to trick a fellow employee into handing over sensitive materials, he said. Workers should know how to recognize these tactics.

The risk is out there for all organizations, no matter what their sector or size, Crouse said.

Managers don’t want to believe that employees that they trust, and may have directly hired, can carry out these kinds of acts. But more of them are taking a “trust and verify” approach. They audit their employees when it comes to accessing sensitive information.

“We know this is a difficult problem because you are talking about human behavior, but it’s not impossible. But if companies are willing to take it seriously and invest in the proper way, in processes, procedures and technologies, they can have an effective program,” Crouse said.

Photo Credit: Thinkstock

Reader Comments

Re: Funding Not Following Concerns About Insider Threats

I think we're seeing the turning point. The TARGET breach resulted in the first CEO to lose their job because of an insider security breach and possibly five other directors to follow. This is significant. Every board should now be thinking this is not going to happen to me, we need to address this problem. This may well mean more emphasis (and budget) is given towards building an Insider Threat Program. Moving from paranoia to protection means involving a sophisticated tool set, staff and manager’s awareness and an efficient process.

Chris Bunn on 06/17/2014 at 08:51

Submit Your Reader's Comment Below
The content of this field is kept private and will not be shown publicly.
Please enter the text displayed in the image.
The picture contains 6 characters.
*Legal Notice

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

  Bookmark and Share