|The worst insider threats are existential, dangerous enough to literally destroy an organisation|
The key to maintaining an effective security system is timely detection of security breaches. Widespread use of technology has resulted in massive amounts of data transfer which in turn makes organisations vulnerable to both internal and external threats. Mass shootings, data thefts and other internal breaches of security have cast a spotlight on the issue of insider threats. According to the Security Executive Council, an insider threat is: “Any risk posed by current or formerly trusted individual(s) with access or privileged knowledge; used to damage, deprive, diminish, injure or interrupt organisational stakeholders, assets, critical processes, information, systems or brand reputation. Insider threats include any illegal, prohibited or unauthorised conduct (acts or omissions).”
What kind of harm do insider threats cause?
Not long ago, a computer programmer working for a Wall Street firm stole 32 megabytes of proprietary computer code with the idea of selling the data to a competing firm. The company discovered the theft through routine network monitoring. The employee was charged and convicted of stealing trade secrets.
This and a number of other examples of the trouble insider threats can cause come from an FBI brochure entitled “The Insider Threat.”
The examples in the brochure mostly relate to thefts of computer files, but experts caution that insider threats go far beyond data theft. For example, they point to Nidal Malik Hasan, the U.S. Army Major who shot and killed 13 people and injured more than 30 others at Fort Hood in Texas in 2009. He worked at Fort Hood as a psychiatrist.
Insider threats can harm a company — or a government agency — in dozens of ways, from stealing proprietary information to injuring or killing people. The worst insider threats are existential— dangerous enough to literally destroy an organisation or business.
Experts say that insider threats don’t necessarily match the description of a mass shooter before the act.
Identifying insider threats
Experts say that insider threats don’t necessarily match the description of a mass shooter before the act. You’ve heard that description: Someone who has grown withdrawn, moody and disagreeable.
An insider threat secretly plotting to do harm will likely try to hide his or her emotional state from others.
“The FBI lists a number of behavioural indicators that insider threats might display,” says Mike McCall, owner and president of MPM Consulting LLC, a consultancy that helps clients deal with inside threats.
Insider threats might indicate their attention by:
- Taking proprietary material home without need or authorisation.
- Paying too much attention to matters outside the scope of duties, particularly those of interest to competitors.
- Accessing the company network remotely while on vacation, sick leave or other unusual times.
- Disregarding IT security policies by installing personal software or hardware, conducting unauthorised searches or downloading confidential material.
- Visiting foreign countries for unexplained or odd reasons.
“I’ve asked one of my contacts at the FBI how many of these indicators you would want to see before taking steps,” says McCall. “The answer is three or four.”
The Security Executive Council advises companies to form cross-functional risk councils to identify risks of concern and to discuss mitigation strategies for the risks
Mitigating insider threats
The Security Executive Council advises companies to form cross-functional risk councils to identify risks of concern and to discuss mitigation strategies for the risks. Among the many types of risks these councils evaluate are insider threats.
“Members of the council are drawn from many functions across the corporation that deal with risk” says Kathleen Kotwica, executive vice president and chief knowledge strategist with the Security Executive Council. “That’s important because different departments will focus on different risks or aspects of risks.“
“R&D might be concerned about intellectual property theft, while personnel might be more concerned about workplace violence ,” she adds. “IT will concentrate on cybercrime, permission issues and the misuse of passwords. By creating an umbrella group, you can look at all the risks facing a company, and communicate it up the chain, including insider threats.
If the security department is starting an insider risk mitigation program, revamping an existing insider risk program or reviewing the current program, the Security Industry Council can take them through the steps to identify insider risks, rate those risks on a scale from a minor threat to a major threat, identify potential actors and targets, who in the corporation is responsible for mitigation, and look at the balance between mitigation options and cost.
“From there, we create a scorecard that reflects which insider threat risks are adequately covered and which are not,” says Kotwica. “This can be used to plan appropriate strategies to reduce the gaps identified.”