Insider Threats a Looming Issue for Government Contractors (UPDATED)
Government contractors must devote more resources and attention toward insider threat programs within their companies, a Deloitte executive said.
“Developing strategies so that employees know what kind of activities are acceptable and which ones are not is critical to the protection of data,” said Mike Gelles, managing director at Deloitte Consulting and author of “Insider Threat: Prevention, Detection, Mitigation and Deterrence.”
“Developing a policy isn’t enough — there has to be consistent monitoring to make sure employees are keeping critical data secured,” he told National Defense.
The book, published by Butterworth-Heinemann in May, defines an insider threat as encompassing everything from espionage and embezzlement to intellectual property theft from current or former employees.
Information leaks like Edward Snowden’s National Security Agency scandal can possibly be mitigated through cybersecurity initiatives, Gelles said.
“Cybersecurity looks at protecting the perimeter — it focuses on a company’s ability to lose potential assets from an external attack,” he added. “By creating an insider threat policy in conjunction with cybersecurity, you can monitor what is going on inside your workforce ... and determine who can be attacking from within.”
On May 18, the Defense Department released a letter indicating a change to the National Industrial Security Operating Manual (NISPOM). It requires government contractors to establish and maintain a "program to detect, deter and mitigate insider threats.” The deadline for implementing these changes is Nov. 30.
Gelles isn’t completely satisfied with the mandate, citing a lack of comprehensive solutions for protecting government data.
“I don’t know if it’s the end-all solution,” he said. “It comes up short because it [NISPOM] doesn’t require monitoring. There’s nothing to suggest they should be implementing analytics to keep track of employee activities.”
Having a policy alone isn’t enough, Gelles said. Oftentimes rules are not easily assimilated into the everyday work place, and the lack of enforcement means that information moves more readily.
“The workforce needs to remain aware,” he said. “It’s not enough for company leadership to say, ‘You cannot use this information in this way.’ There has to be a dialogue.”
Better communication across the board means that employees are much more readily able and comfortable with moving information, both within the company and from the company to an outsider.
However, having this access opens the door for potential exploitation of information, Gelles said.
What he classifies as a “complacent insider” in his book — an unwitting, non-malevolent employee who sees himself/herself as above the rules and the job they’re performing — is the most threatening for an organization.
“Complacent workers are the key vulnerability between the perimeter and the inside,” Gelles said. “Because they do their job by whatever means necessary, they violate rules and controls, exposing an organization to tremendous risk.”
Activities carried out by complacent workers include clicking on phishing emails or allowing an outsider access to systems, buildings or people.
As millennials begin to come into the workforce, companies will also have to come to terms with dealing with an increasingly comfortable digital generation.
“Millennials can manipulate information and virtual systems at a far more superior rate than baby boomers can,” Gelles said.
Younger generations tend to be far more fluid in the dissemination of the information and programs they create, he added. For example, employees can take projects and information systems they created in their past roles with them when they move on to another job. That creates a hole in a company's security, Gelles said.
“Business in a virtual space makes it easy to move information to ... Dropbox or [an] email in such a way that their activities aren’t being observed like they were in the days of having to carry around physical documents,” he said.
Gelles believes the process behind a company’s insider threat policy is what matters most. “Contractors need to have programs to take on the responsibility of their workforce,” he said. “There will be a continued contractor threat if their companies don’t develop programs to safeguard their data.”
Correction: This post has been updated with Gelles' correct title and the full title of the book.