From trade secrets and intellectual property theft to active shooters, organizations face a wide range of potential threats from malicious insiders. One of the problems with mitigating the risks posed by insider threats is that they are often dealt with from two different sides: IT security and physical security. However, to have truly robust protection against malicious insiders, businesses need to develop and implement a comprehensive approach that encompasses all aspects or organizational security.
According to Dr. Michael Gelles, a former chief psychologist for the U.S. Naval Criminal Investigative Service who currently serves as director for Deloitte Consulting’s federal practice, organizations, by and large, tend to be at different levels of maturity when it comes to mitigating against insider threats. In the federal government, for example, Gelles said the intelligence community has developed “fairly mature” programs. But, when you look at agencies that are not involved in national defense or intelligence gathering efforts, Gelles said their programs are clearly not as developed. The maturity level of insider threat mitigation initiatives also varies widely in the commercial sector.
“For example, in the financial industry, we actually see programs that have moved along and matured quite significantly. And then, of course, as you look at other industries, it is very spotty,” he said. “Some have addressed it in oil and gas, pharmaceuticals and some folks in technology have addressed it more aggressively than others, so essentially there is a broad swath of levels of maturity. The thing they all have in common is that every organization that we’re talking with across the different lines of industries are very interested in the topic and very interested in thinking about how to protect against insider threat and beginning to develop a program.”
One of the biggest challenges for organizations in trying to develop a foundational plan, according to Gelles, is figuring out exactly who will take ownership of it. Where an insider threat program is owned or placed within an organization oftentimes drives the perspective of it, which could leave room for significant security gaps.
“A CSO may tend to be more focused on sort of the non-virtual issues while the CISOs tend to be a little more focused on the virtual issues. This is a problem that has to be looked at holistically, across a whole person, so you have to look at what is going on in both the virtual space where business is conducted as well as in the non-virtual space,” explained Gelles.
Gelles said that organizations also struggle with defining what it is they want to protect and their overall risk appetite. “Once they’ve identified what they want to protect, what are they willing to do to protect it based on the business and the way they do business?” he asked.
Among the things that Gelles said businesses have to take into consideration when developing these plans include how they view issues surrounding employee monitoring and privacy, as well as more traditional concepts surrounding implementing the right policies, training and communication procedures for the workforce.
Although every organization has to be vigilant in protecting against the dangers posed by malicious insiders, Gelles said he has recently seen what appears to be an uptick in “complacent” activity. Gelles defines a complacent insider as someone who has a lax attitude towards security policies and procedures and sees themselves as being above the rules. Organizations can also be victimized by an “ignorant insider,” which is a person that, because an organization doesn’t have policies and procedures in place, doesn’t know what they are doing and may make egregious errors that result in external attacks.
As difficult as it is to believe given all of the highly-publicized events involving malicious insiders, Gelles said many business leaders still struggle to come to grips with the fact that people they know and hired would bring their company harm.
“In essence, I believe there is some naivety on behalf of organizations that, while they are concerned about external attacks, they are really now beginning to think about, ‘Wow, am I really exposed to the insider,” added Gelles. “The insider also has an interesting component as it relates to the current demographic in the workforce and some of the way we do business. In the days of brick-and-mortar when we used to do business with paper and hard material, today business is done in the virtual space where material can be moved in very large quantities. Interestingly enough, the workforce today and specifically some of the younger generations, believe that, ‘if I created it, I own it and I can take it with me to my next job.’ It redefines what the witting insider is.”
Historically, Gelles said that insiders, as a general rule, are not impulsive but rather follow a continuum from idea to action. That pattern of behavior, however, does not change whether the action they carry out is done virtually or physically.
“If you are going to mitigate the insider threat, you must look at what the person does – that’s a very important distinction, it’s not who a person is, it’s what a person does – and what is (the organization) doing holistically,” said Gelles. “There are many different indicators that you want to be paying attention to. If you were only paying attention to what someone was doing in the virtual space, where they were logging on, what they were downloading, where they were emailing, what type of data was being exfiltrated, you might be missing the fact that they are moving around the building attempting to badge into places they shouldn’t be.”
Despite organizations’ best efforts to recruit and vet the best employees, Gelles said that workers can run into a crisis in their personal lives that leads them to do things they never would have done under normal circumstances.
“If you look at a lot of the spies who committed espionage in the United States, they were all were vetted and they all had security clearances. People who have access may develop a crisis and that crisis may lead to using proprietary information, R&D or classified information as a solution to their crisis rather than seeking alternatives methods that would be more appropriate,” said Gelles. “The misconception is, ‘I recruited someone, I vetted someone and therefore they are going to be a good employee because they work for me.’