During the early morning hours of Oct. 1, 2019, three armed men broke into the Santa Cruz, CA, oceanfront home of Tushar Atre. The men threatened and restrained Atre and his girlfriend and then left the home with Atre, taking him away in the girlfriend’s BMW SUV. The kidnapping crew then took Atre to a warehouse in the Santa Cruz mountains where he operated a cannabis growing business, Intersitital Systems. Atre’s body was found later that morning -- he had been shot dead in an apparently financially-motivated crime.
Four men were arrested in May 2020 and charged with Atre’s murder. Two of the men charged were employees of Interstitial Systems, indicating that it was an inside crime. Such crimes are common in corporate America and appear to be even more prevalent in the cannabis industry. In fact, some insurance industry estimates indicate that some 90 percent of the losses in the cannabis industry are related to insiders. That is the bad news -- the good news is that there are steps corporate leaders can take to protect their companies. But first, let us take a moment to define what we mean by an insider threat.
Defining the Insider Threat
Anyone associated with your company can potentially cause harm, whether it is intentional, through error or by negligence. For our purposes here, we will focus on those who intentionally seek to cause harm, people we will refer to as an “inside threat actors.” An inside threat actor is generally someone associated with your organization such as an employee, a contractor, an employee of a service provider, or anyone else in a position to obtain intimate knowledge of your facilities and operations. An insider has natural covers for status and action that an "outsider" does not, meaning they have a logical explanation for being where they are and doing what they are doing. But beyond knowing the ins and outs of the company’s facilities and having a reason to be there, an insider can also develop a detailed understanding of internal security programs, policies and procedures that can assist them in planning and conducting their crimes.
There are three main types of inside threat actors. The first are individuals who are initially well-intentioned, but who later become malicious and decide to commit a crime as the result of some real or perceived grievance, or due to some other motivation, such as greed. Such a change in behavior can also be brought about by some sort of personal crisis, a mental health issue, or a combination of these factors.
Other insiders can become threats upon or after losing their job. These threats can include not only workplace violence but also malicious attacks intended to damage company property or even IT systems. Such threats can not only spring from ex-company employees; former employees of a business partner, contractor or service provider can also cause significant harm to your company utilizing the unique knowledge gained while working for that outside entity. An example would be an IT services provider, cleaning service or construction contractor, etc.
Finally, some insiders can even seek out employment at a company with the sole intent of causing some sort of harm – what is referred to as a mole in intelligence parlance. Such an actor will worm their way into the company all the while intending to steal some type of intellectual property, product, or cash.
Indeed, given a large amount of cash associated with the cannabis industry, and a product that is quite easy to sell, it is not difficult to see how insider theft and diversion are a problem. However, by its very nature, the industry is in many ways like the pharmaceutical and food industries, and hybrid strains of plants and the specific recipes used to create edibles or vape cartridges are all valuable to competitors, thus rising a corporate espionage threat. Additionally, like every other company, insiders also pose a threat to commit workplace violence, embezzlement, sexual assault, and other crimes.
Mitigating the Insider Threat
The myriad of threats that can arise from insiders, and the different types of inside actors, mean that there is no simple, silver bullet-type solution to the problem. Instead, a good insider threat mitigation program must have several overlapping elements.
The first element is a robust pre-employment screening and background check process. A good screening process that confirms resume claims and talks to past employers and other references can be very useful in identifying potential problem employees before they are hired. However, pre-employment screening does have some limitations. For example, police records and fingerprint checks, are only useful in identifying individuals who have been previously caught in a crime, and not those who have yet to be caught. This was the case in the Atre kidnapping and murder. None of the suspects had previous arrest records. In fact, the two brothers charged in this crime came from a Christian missionary family leading one to conclude a background free from criminal activity or influence.
Furthermore, people’s circumstances can change over time, and these changes can contribute to their decision to participate in criminal behavior. Mental illness, debt, traumatic life experiences and addiction can all have a dramatic effect on a person's behavior and character. Thus, vetting must not be viewed as something done only when a person is hired, but rather as an ongoing process. This monitoring process must be accompanied by clearly established guidelines as to what factors will trigger a re-assessment of an employee’s suitability for employment, or access to cash, product, or other sensitive materials. Persistent screening has become more prevalent in today’s corporate work environment and would certainly be a viable option for the cannabis industry.
Another important element is security education and awareness. Obviously, company stakeholders such as human resources, security, legal counsel, IT and people managers should be educated about the insider threat, but in our estimation, the entire workforce from the receptionist to the CEO should be trained about insider actors and the behaviors they exhibit. The co-workers of an inside threat actor will typically have far more interaction with him or her than will HR, security, or even their manager, which means they have far more opportunities to notice grievances or other types of troubling behavior.
Crimes do not occur out of a vacuum; they are part of a process that can be discerned – and disrupted – but only if someone is looking. In addition to training on what behaviors to look for, employees should also be provided with clear guidance on what to report and who to report it to. Speaking of reporting, effort should be made to build a culture that views the reporting of such behaviors as a way to identify and get help for troubled employees and to protect the company and employees, rather than as snitching on co-workers. Accordingly, such reports must be kept in confidence to protect the reputation of the employee involved as well as the confidentiality of the person making the report. While some have mocked the simplicity of the “see something, say something” motto, this principle has helped to avert many cases of workplace violence and other crimes. Technology has enabled today’s workforce to make anonymous reporting easy. Smartphone apps and programs are intuitive and provide quick assessment and response to threatening situations or conditions.
Solid physical security measures to include access control and CCTV systems are also important elements to help protect against various types of insider threats. They can help limit access to sensitive material and can also help protect against workplace violence. Proper cybersecurity protocols and procedures are other critical elements, and they must go hand in glove with physical security programs.
Also, as evidenced by the Atre case, residential security for key corporate leaders is also important. It is not enough to have these systems in place, they must also be used. Executives must pay close attention and have a clear understanding of the security risk profile for themselves and their families.
When it comes to protecting proprietary company secrets such as recipes and formulas, it is critical to clearly identify what information truly needs to be protected; only grant access to people with a clear need for their jobs; carefully vet the people provided access, and then control when where and how they can access it. This same principle would apply to sensitive items related to intellectual property such as the seeds of hybrid plants the company has invested a great deal of effort or money to produce.
Security policies and protocols are also critical elements in helping to mitigate the insider threat. Especially as they layout procedures for investigating incidents and reports, outline the proper procedure for terminating employees and for assessing and managing threats. Termination protocols and “checklists” ensure a measured and risk-based approach when separation is required.
As long as companies have employees, it will never be possible to completely remove the threat posed by insiders; however, a solid, holistic security program can help to greatly mitigate the impact the insider threat can have on your business.
About the authors: Scott Stewart is a Vice President at TorchStone Global. Scott is a seasoned protective intelligence practitioner with 35 years of analytical, investigative and security experience. Stewart led Stratfor’s global analysis of terrorism and security topics from 2004 to 2020. Before joining Stratfor, he was a special agent with the U.S. State Department for 10 years and was involved in hundreds of terrorism investigations. Stewart was the lead State Department investigator assigned to the 1993 World Trade Center bombing and the follow-up New York City bomb plot. He also led a team of American agents assisting the Argentine investigation of the 1992 bombing of the Israeli Embassy in Buenos Aires and was involved in investigations following a series of attacks and attempted attacks by the Iraqi intelligence service during the first Gulf War. He also served as the deputy regional security officer in Guatemala City and was responsible for the embassy and diplomatic security at that post as well as in Belize City. As a protective intelligence coordinator for Dell, he served as a member of Michael Dell's executive protective team. He has also consulted on terrorism issues for the Texas Department of Public Safety. Scott is regularly featured in leading media outlets, including The New York Times, the Los Angeles Times, CNN International, NPR, Reuters, USA Today, The Associated Press, World Magazine, Fox News, Discovery Channel and Time magazine. He was one of the DSS Special Agents profiled in the book Relentless Pursuit: The DSS and the Manhunt for the Al-Qaeda Terrorists by Samuel M Katz.
Mark Lex is a Senior Vice President of TorchStone, a premiere risk advisory firm formed to serve the unique needs of the world’s leading organizations and individuals. The company focuses its efforts on preventive measures in Personal Protection, Cyber Security and Fraud Prevention. TorchStone delivers customized security solutions for clients who seek to protect their most important assets: People, Capital, and Information. Lex is a veteran security executive, with past stops as the Security Director for PayPal, Director of Global Security with Abbott Labs, Director of Safety & Security at W.W. Grainger. and the Director of Corporate Security NA for Kraft Foods. Lex is a former Board Member with IAPSC and an Emeritus Faculty member with the Security Executive Council. He is also a life member of ISMA.