Insider Threat Programs: A Beginner’s Guide
What your company spent years to develop can be lost in an instant at the hands of one bad intentioned employee. The statistics on employee theft of intellectual property (IP) paint a dark portrait of what employees do when disgruntled, moving on, or stockpiling for a rainy day. William Evanina, the U.S. government’s National Counterintelligence Executive in the Office of the Director of National Intelligence says, “As a corporate leader, the single most important investment in protecting your proprietary information and sensitive trade secrets is developing a viable and enterprise-wide insider threat program”.
To paraphrase the well-worn mantra on hacking and apply it to the pandemic of Insider Threat: There are two types of companies, those whose employees have already stolen IP, and those who simply don’t know it yet. No matter where your company is along its journey toward an effective insider threat program, success or failure is measured by the last harmful egress of research, formulas, algorithms, strategies, service manuals, or other critical business information (CBI). Whether your effort to detect, deter, and prevent CBI loss has become an industry model or is still a nascent vision, three common components can help build a new plan or help review and adapt a mature program.
Security professionals exploring insider threat fundamentals can take a lesson from first year journalism students. Budding reporters are trained to instinctively repeat basic questions designed to get to the truth, and three of those questions drive formation of all Insider Threat programs: “What?”; “Where?”; and, “Who?” Security leaders should make it their practice to ask these three questions of their staff, key partners, and operational components of their companies. What is it that most merits protection? Where is this most critical information located, physically and in cyber space? Who amongst us requires regular access to CBI?
As the past head of counterintelligence for the FBI, a former corporate security executive for one of the world’s largest companies, and now a risk management consultant, it no longer surprises me to hear new security professionals struggle to answer these basic questions. Security practitioners sometimes perpetuate the long-standing C-suite myth that “security’s got this” when it comes to everything from a missing gym bag to a missing gyroscope. The perception that someone, somewhere, must have already addressed, planned for, or is in the process of resolving the concern of the moment, provides comfort to our senior executives and job assurance for those of us in the profession. But the comfort is dangerous and the assurance is hollow. Rather, we should work to dispel the notion that security can or should protect everything. To do that, the savvy security executive endeavors to first identify and then deeply understand exactly what represents the future of the company, where it resides, and which employees have stewardship of this lifeblood. Done correctly, in partnership with key stakeholders including Human Resources (HR), Legal, IT Risk, and Engineering, Science or Business leaders, this approach provides laser-like focus on what really matters, shares ownership across components, and generates confidence in a process designed to protect against existential threats to jobs and share price.
Build Your Team
Successful implementation of insider threat programs hinge on assembling the right team. IP protection is a team sport and should not be carried out by one component alone. The team requires willful senior level participants who are convinced the time is right to defend the company against the threat from within. Leadership is often motivated to take this step by a crisis sparked by the loss or near loss of a trade secret at the hands of a departing or on-board employee or contractor. But waiting for such a crisis is not advisable. Gather data on losses suffered within your industry, supply chain, or customers. Talk to FBI corporate outreach contacts and ask for examples of economic espionage targeting your technologies. Talk to HR about where employees go when they depart and ask those employee’s former managers whether cumulative losses pose a concern.
Meet one-on-one with a senior thought leader in Legal, IT Risk, HR, Business Development, or Research and ask them to partner with you to assemble a team and form an Insider Threat program. Next, meet unilaterally with each proposed team member to brief them on the threat and risk to proprietary data and seek their support to more strongly defend the company. In some non-defense corporate cultures, using the phrase “Insider Threat” can still generate privacy, trust, and culture concerns. In one large company, a security leader’s proposal to discuss such a program was met with this question from the head of HR, “Do you not think we should trust our employees?” The security leader responded, “I do, and I think we should have mechanisms in place to defend our trust.” Meeting first with each partner will allow you to listen to their concerns. Limit the team to five or six decision makers from key functions. When the team is assembled start asking the first of the Journalism 101 questions.
Whether a newly appointed security leader or seasoned veteran, the question at the heart of IP protection is, “What exactly are we protecting?” Responses provided by security and business leaders to this single question help measure the need for an Insider Threat initiative or the maturity of an existing program. Common responses from the security ranks include; “I’m protecting these buildings”, “I’m protecting this campus”, “I’m protecting people”. Even security professionals in large, sophisticated corporations frequently do not cite, “ideas”, “research”, “technologies”, or “critical employees”, when asked what they protect. Follow up questions on which campuses, buildings, or people are more critical than others are sometimes met with silence or criticism that the question implies some employees are more important than others. One long-tenured security leader responded by displaying his daily automated reports advising him which doors, hallways and offices were entered, but, he could neither articulate which company functions occurred there nor how his data was relevant.
Importantly, your team should pose the “What” question to key business leaders including the CEO, General Counsel, CFO, Supply Chain leader, Research or Engineering executives, Business Development or Sales heads, and corporate audit manager. Provide context by framing the question as an attempt to identify the small subset of proprietary information that would most damage the company if it fell into the wrong hands. Various formulas and thresholds can be customized to help guide this discussion and quantify the degree of damage to finances, share price and reputational risk.
Security professionals can only truly protect that which they know is there. Once CBI is identified, the team must learn where it resides, in both physical and cyber space. In large companies with thousands of employees and facilities, this question is more easily asked than answered. Yet, the answer is vital to learning how your CBI is exposed. One large company locating its CBI discovered a proprietary formula sitting in an open folder accessible by its entire employee population. Audit of the folder revealed that employees in high risk nations had visited the folder without any valid reason.
When countering the insider threat, the physical and the cyber security of CBI must be viewed as one holistic endeavor. The behavior of data and the behavior of humans are inextricably linked and the partnership between IT Risk and Physical Security should be seamless. Once aware that specific buildings, offices, or laboratories contain CBI, protocols and checklists for enhanced safeguarding can be drafted. This initiative counters more than just the internal threat. Upon learning the location of a sensitive manufacturing process one company found the process was part of a public tour route.
The seemingly simple “Who” question can generate more consternation than the previous two questions combined, particularly from your partners in HR and Labor & Employment Law. While answering the first two questions is often labor intensive, this last query raises issues of policy, organizational culture, and law. Companies may learn that some CBI is assigned to contractors, and the team must wrestle with the issue of whether people with less allegiance, and more transient tenure, should be entrusted with the firm’s future. Yet, identifying employees who require access to CBI is easy compared to planning how to relate to them. This discussion should include: standards for employees to receive and maintain CBI access; policies on travel and device security; enhanced computer monitoring; and, governance protocols for investigative response to suspicious conduct. Importantly, the approach to such vital and often singularly knowledgeable employees should be an inclusive one that views them as special stewards with more responsibility than the average employee.
If approached carelessly, insider threat plans can breed mistrust, alienate key employees, erode company culture, and even violate labor or privacy laws. But, a quality program can be a leader’s most important legacy, reaping tangible dividends in loss prevented, jobs saved, and relationships forged.