The insider threat is a real concern across government and industry and unfortunately, we continue to see significant evidence of the damage incurred by malicious insiders, such as Snowden and Manning.  In the next few years, we will see changes to Government policy, including the National Industrial Security Program Operating Manual (NISPOM) to ensure we are properly protecting national security information and corporate assets.

Since the mere thought of how to create an insider threat plan can be overwhelming, the following five steps are intended to help you put things into perspective as you begin to develop and document your corporate plan.  There are many sources of information available for companies to reference (see list of sources).

Step 1:  Identify the Team

Assemble a team who can make decisions, change policies and understand the importance of the issues.  It is critical the team has a solid understanding of your overall business and your corporate assets.  You may want to include a member of executive management (COO) with budget authority as well as representatives from HR, Security, IT and your legal department.  Schedule a regular meeting time and assign someone on the team to take minutes.  An agenda can also be helpful as you begin to cover the elements of the plan.  The team needs to be able to work across the organization and have the synergy necessary to ensure that when a problem arises, it can be handled quickly.  The team should know the staff and be able to recognize concerning behaviors as potential indicators.

Step 2:  Conduct a Risk Assessment

One of the best ways to protect your company is to fully understand your assets and ensure you are taking the appropriate steps to secure them.  Sit down with executive management and outline what your corporate assets are, such as trade secrets, salary data, proposal data, proprietary data, sponsor or Government National Security data, strategic plans, Personally Identifiable Information (PII), and your IT systems and servers, etc.

Once you have established what the assets are, determine how well they are protected.  What is the risk if the information is leaked to a competitor or a foreign entity?  Look at who has access to the information.  You will want to take steps to limit vulnerability by controlling access to files by staff who do not need the information to complete their job function.  In addition, ascertain if someone terminates to go to a competitor, or for any reason, that you understand immediately what information the person has access to.  Ensure you have procedures in place to be able to take immediate steps to terminate access to information.

Determine if you want to hire consultants to conduct a risk assessment or if you prefer to handle the risk assessment with the senior staff in-house.  The benefit of utilizing consultants may be an unbiased result but may be cost prohibitive.  You might find that you would rather allocate funds to purchase new equipment, such as a new firewall, to protect the assets.

Step 3:  Tighten Up Procedures/Policies

Ideally, the insider threat team will work together to strengthen the procedures, gather feedback, implement changes, and document the new policies as part of the plan.

Start this step by looking at the procedures and policies currently in place to protect  the assets you identified during the risk assessment.  For example, if you have identified certain proposal data as proprietary, you should engage your IT staff to monitor who is downloading the data.  You can also tighten up the procedures surrounding the termination of employees to ensure they understand the NDA’s they signed.  This will protect your company’s assets.  If possible, at the first notification of a termination, look at what the employee has been accessing for the past 30 days.  At this time, remind the person of the NDA signed at date of hire.

In addition to tightening up procedures, adapt an Acceptable Use Policy for your company.  The purpose of an Acceptable Use Policy is to outline the proper use of company information systems.  The policy is established to protect the employee as well as your company from risks (including virus attacks, compromise of network systems and services, and legal issues) due to inappropriate use and/or malicious conduct.  Ensure your staff understands the Acceptable Use Policy and the sanctions associated when the policy is violated.

Step 4:  Security Education

Security education can be as creative as you are!  Many companies that contract with the Government have a security education program in place.  Supplementing the plan with insider threat material is easy with all the resources available online.  The goal of the security education program is to ensure your employees understand how to recognize a threat, both internal to the organization as well as from the outside (such as recruitment), the importance of reporting the potential threat, and how to file a report.

Encourage your staff to report and provide a confidential means of reporting.  If your staff is required to report adverse information, remind them of the requirement.  Reporting may lead to early detection of malicious insiders as well as possible recruitment.

Below are a few examples of indicators but please refer to the sources below for more detailed lists of threat indicators and observable behaviors that may indicate someone is involved in malicious activities.

• Unexplained affluence or excessive indebtedness
• Efforts to conceal foreign contacts, foreign travel or foreign interests
• Requesting access to or accessing information outside official job duties including sensitive or classified information
• Disgruntled behavior at work
• Drug or alcohol abuse, excessive gambling, or criminal activity
• Questionable judgment or untrustworthiness
• Apparent mental, emotional or personality disorders
• Working odd hours (suddenly changing working hours)
• Printing or downloading files excessively

Here are a few ideas to introduce and begin to implement your insider threat program.  Add a few slides to your annual refresher training as a means of introducing the topic and outlining the requirements for reporting.  You can also add to or begin to publish a monthly newsletter to highlight threat indicators and reporting procedures.  Both DSS and the FBI websites have downloadable brochures with relevant information.  If you need a little humor, Threat Geek has great cartoons with insider threat content that will deliver your message in an entertaining way.

Step 5:  Document Your Plan

By the time you get to this step you should be well on your way toward creating a successful plan.  If you have maintained good notes along the way, it will be easy to put the results of your risk assessment, new policies and procedures you have implemented, the details of your security education program, and the team responsibilities into a corporate plan.

Remember, you are never done!  Insider threat is an ongoing and evolving issue and your plan should be continuously amended as you gain more experience working through various issues that arise.

Contributing Author:  Katherine D. Mills

Sources:

CERT: Common Sense Guide to Mitigating Insider Threats

• CERT Website: http://www.us-cert.gov/
• Free download of CERT Guide:
  http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34017

DSS: Insider Threat Courses & Brochures

• On-line Training:  Thwarting the Enemy http://www.cdse.edu/catalog/elearning/CI111.html
• Brochure: http://www.dss.mil/documents/ci/Insider-Threats.pdf

FBI: Insider Threat Briefing

• Briefing and Information:
  http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat

ONCIX: Insider Threat Relevant Reports, Briefings & Reading Material

• Insider Threat Information: http://www.ncix.gov/issues/ithreat/index.php

American Society Industrial Security, Security Management, October 2013:

• “Confronting the Insider Threat,” by Laura Spadanuta Article Link: http://www.securitymanagement.com/news/confronting-insider-threat-0012829

Threat Geek, cartoons for security education

• http://www.threatgeek.com/