NDIA POLICY POINTS DEFENSE DEPARTMENT
Insider Threats - More Than Just an IT Problem
When once-reliable employees turn against their company, severe damage can result. The 1999 cult comedy classic Office Space provides a humorous example. Peter Gibbons, a software programmer fed up with being mistreated, uploads a virus to steal money from the company. However, Peter’s plan goes awry, and he steals even more than he intended.
Although Office Space is a comedy, its plot provides a powerful lesson of an employee becoming an insider threat. Protecting vital corporate data and networks when “good guys go bad” requires more than monitoring for technological indicators of insider threats. Companies must also screen for the human factors that could indicate a developing problem. Facing a growing body of cybersecurity compliance obligations, defense suppliers should leverage best practices in strategic human resource management to preempt developing insider threats.
Companies increasingly rely on enterprise databases accessible across their workforce. With increased employee access to company data, risk of malicious release of information is a significant threat. In 2015, a report from McAfee noted 33 percent of internal actors took employee information, 27 percent took customer information, and 15 percent took intellectual property.
According to a 2018 Cybersecurity Insiders survey of cybersecurity professionals, employees who become insider threats tend to target vulnerable assets like “confidential business information,” “privileged account information like passwords,” “sensitive personal information,” “intellectual property” and “employee human resources data.” Corporate stakeholders see threats against these assets as particularly damaging.
Given the growing insider risk to these valuable assets, developing a holistic approach to tracking threats is an important cybersecurity goal. Furthermore, National Institute of Standards and Technology Special Publication 800-171 requires that companies provide security awareness training on recognizing and reporting insider threats. While information technology leaders understand insider risk, they commonly lack the expertise and authority to address the problem through educational and behavioral approaches.
Employees outside the IT department may bring more suitable skills to identifying the profiles and mitigating the motivation behind potential threats.
Companies should prioritize identifying sources of employee risk and develop monitoring strategies. Knowing what causes an insider to act in opposition to company goals is difficult because bad actors don’t always share the same motivations or incentives. Looking at patterns can help identify vulnerabilities. NATO’s Cooperative Cyber Defense Centre of Excellence categorizes threats into IT sabotage, IP theft, fraud, espionage and unintentional insiders. Each of these threats have different behavioral indicators and require remedial strategies companies should develop and tailor to their specific needs.
Problems may also stem from external influences on employees. According to the center, collusion with outsiders, business partners, mergers and acquisitions, cultural differences, foreign allegiances and involvement in the “internet underground” can increase the complexity of dealing with insider threats. Companies should factor into their strategies how external actors can influence insiders. When compounded with behavioral indicators, trained employees may identify potential external influence risks to coworkers.
The corporate solution to insider threats involves individual and organizational human components. Technical solutions can identify occurrences but understanding human factors allows employers to act preventatively. Since social factors and external influences weigh heavily on malicious insider development, those who interact with employees on a personal level are likely to be in the best position to notice behavioral indicators.
Having a technical degree isn’t indicative of an employee’s ability to distinguish a threat. Carnegie Mellon’s CERT — community emergency response team — found among those who identified insider threats, 72 percent worked in non-technical roles. Cultivating employees with the skills to build resilient IT systems is important, but that is no longer enough. Companies should also value employees who can provide the requisite education and training to alert their coworkers to social indicators of insider threats.
Organizationally, companies should house monitoring and remediation responsibilities in a centralized place. The Cooperative Cyber Defense Centre of Excellence analysis found effectiveness in having dedicated personnel coordinate with information security officers. Therefore, while it is important all employees understand cybersecurity, companies might benefit by offering specialized training to human resource employees.
The overarching solution should be to develop a comprehensive strategy that includes a focus on human resource departments fostering a supportive work environment.
Corporate leaders must strike a careful balance between protecting employees’ privacy and preventing a hostile work environment. Input from job functions that understand the pressures surrounding employees’ work-life balance could be especially valuable in building resiliency against insider threats. Employers need to think about how they can provide support to improve employees’ personal resilience when confronted with the pressures that lead them to become a malicious insider.
Much of this will come from extensive self-examination across the info-tech and human resources spaces. Both areas can see a benefit through collaboration. Given the high stakes of a potential data breach, the preemptive benefits offered by a strategic alliance between HR and IT are too important to pass up.
Mike Patterson is an NDIA junior fellow and a third-year law student at American University.
Topics: Defense Department