Click for Part 1.
In Part 1 we looked at the background of an Insider Threat and what were some indicators of how they got to where they were. What we want to do now is to identify steps to implement to help mitigate the threat insiders pose to your organization.
Implement Security Policies and Security Education and Awareness Training. Your security is only as strong as your weakest link. One person who clicks on a suspicious email, or someone who is careless with their password discipline can expose any business to security threats. Develop a vision on how you are going to approach security, discuss why it’s important and then implement measures. It will not be convenient for everyone, but will protect your business. And here’s a hint – if people are grumbling about the security measures in place, then you are on the right track. Then follow-up with realistic training about how to protect your business and your employees. If you are a sole proprietor, go online and look for training. The threats are overwhelming and they change every day. Become an alert and aware business.
Learn and Keep Up with History/Trends. The stories of military espionage are all over the news, or captured through books or online because they had so much impact on world outcomes or wars. But just as important are the economic espionage cases that have occurred and understanding the who, what, when, where and why. For every Aldrich Ames or Robert Hanssen, there is a Yuan Li or Michael Mitchell. Ryan Anderson could be Chi Mak. They are out there. We learn from the past; they help give us clues as to what to look for and how competitors and foreign companies operate.
Implement Access Controls. Sometimes the easiest thing to do is to allow everyone access to folders online and every room in the building. Since we have already established that security isn’t convenient or easy, we need to implement control measures that limit employee’s access. This doesn’t mean that you don’t trust your employees or co-workers, but everyone doesn’t need to know everything. The researcher doesn’t need access to client data; the secretary doesn’t need access to clinical trials; etc, you get the point. This applies to small business as much as it does to big business and should be part of your security processes and policies. This should be integrated into the onboarding/new hire process.
Implement Non-Retribution Reporting Processes. This is going to be a tricky one. It’s always easy to think of Counterintelligence personnel as being “Internal Affairs” type of watch dogs who single out otherwise good employees and make their lives miserable. It is true that they look internally, but the key is that this internal sweep is based from a couple of factors – an accusation was made, or patterns were identified that called attention to an individual. If you have implemented security policies and an education and awareness training program, the expectation should be that employees keep a watchful eye. Not to “tell” on anyone, but to keep the business postured for success. And if they are keeping a watchful eye then they need to be able to report instances to a defined and unbiased structure. The key is holding the reporting structure/process accountable for conducting responsible actions and not conducting a witch hunt. Establish the authority of this reporting process and what their actions are. What is their goal and mission? How far can they go? What are their legal responsibilities? The goal should be to validate the accusation – confirm or deny that through basic investigative actions that involve the lowest type of techniques; or the least invasive. Meaning, you should determine if there is basis for the accusation and elevate accordingly. And secondly, the process needs to be transparent to the leadership and should be able to withstand any type of challenge of bias.
Identify Network Solutions. There are lots of network solutions available to help complement your security awareness and education process. Do you need to implement a USB logger on your systems to see if people are downloading an excessive amount? Do you screen emails with attachments? Should you lock down USB or CD/DVD burn capabilities of network computers? What is your BYOB policies? Should you block access to the network? Are you able to observe internet traffic and spot/block suspicious sites. The list could go on and one, but if implement security awareness and training, then you also need to reinforce this with things people can’t see. These should complement one another.
An Insider Threat can take many forms and have different type of outcomes. There is the violent outcome where an employee feels wronged and it has a tragic outcome. This type of threat is very dangerous and employees need to be on the look out for those type of tendencies and report as appropriate. However, the Insider Threat that scares businesses the most are the ones who operate right under our noses and slowly steal data and intellectual property.