[BreachExchange] Insider Threat Programs: A Beginner’s Guide

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 23 10:44:04 EST 2018


What your company spent years to develop can be lost in an instant at the
hands of one bad intentioned employee. The statistics on employee theft of
intellectual property (IP) paint a dark portrait of what employees do when
disgruntled, moving on, or stockpiling for a rainy day. William Evanina,
the U.S. government’s National Counterintelligence Executive in the Office
of the Director of National Intelligence says, “As a corporate leader, the
single most important investment in protecting your proprietary information
and sensitive trade secrets is developing a viable and enterprise-wide
insider threat program”.

To paraphrase the well-worn mantra on hacking and apply it to the pandemic
of Insider Threat: There are two types of companies, those whose employees
have already stolen IP, and those who simply don’t know it yet.  No matter
where your company is along its journey toward an effective insider threat
program, success or failure is measured by the last harmful egress of
research, formulas, algorithms,  strategies, service manuals, or other
critical business information (CBI). Whether your effort to detect, deter,
and prevent CBI loss has become an industry model or is still a nascent
vision, three common components can help build a new plan or help review
and adapt a mature program.

Security professionals exploring insider threat fundamentals can take a
lesson from first year journalism students. Budding reporters are trained
to instinctively repeat basic questions designed to get to the truth, and
three of those questions drive formation of all Insider Threat programs:
“What?”; “Where?”; and, “Who?” Security leaders should make it their
practice to ask these three questions of their staff, key partners, and
operational components of their companies. What is it that most merits
protection? Where is this most critical information located, physically and
in cyber space? Who amongst us requires regular access to CBI?

As the past head of counterintelligence for the FBI, a former corporate
security executive for one of the world’s largest companies, and now a risk
management consultant, it no longer surprises me to hear new security
professionals struggle to answer these basic questions. Security
practitioners sometimes perpetuate the long-standing C-suite myth that
“security’s got this” when it comes to everything from a missing gym bag to
a missing gyroscope. The perception that someone, somewhere, must have
already addressed, planned for, or is in the process of resolving the
concern of the moment, provides comfort to our senior executives and job
assurance for those of us in the profession. But the comfort is dangerous
and the assurance is hollow. Rather, we should work to dispel the notion
that security can or should protect everything. To do that, the savvy
security executive endeavors to first identify and then deeply understand
exactly what represents the future of the company, where it resides, and
which employees have stewardship of this lifeblood. Done correctly, in
partnership with key stakeholders including Human Resources (HR), Legal, IT
Risk, and Engineering, Science or Business leaders, this approach provides
laser-like focus on what really matters, shares ownership across
components, and generates  confidence in a process designed to protect
against existential threats to jobs and share price.

Build Your Team

Successful implementation of insider threat programs hinge on assembling
the right team. IP protection is a team sport and should not be carried out
by one component alone. The team requires willful senior level participants
who are convinced the time is right to defend the company against the
threat from within. Leadership is often motivated to take this step by a
crisis sparked by the loss or near loss of a trade secret at the hands of a
departing or on-board employee or contractor. But waiting for such a crisis
is not advisable. Gather data on losses suffered within your industry,
supply chain, or customers. Talk to FBI corporate outreach contacts and ask
for examples of economic espionage targeting your technologies. Talk to HR
about where employees go when they depart and ask those employee’s former
managers whether cumulative losses pose a concern.

Meet one-on-one with a senior thought leader in Legal, IT Risk, HR,
Business Development, or Research and ask them to partner with you to
assemble a team and form an Insider Threat program. Next, meet unilaterally
with each proposed team member to brief them on the threat and risk to
proprietary data and seek their support to more strongly defend the
company. In some non-defense corporate cultures, using the phrase “Insider
Threat” can still generate privacy, trust, and culture concerns. In one
large company, a security leader’s proposal to discuss such a program was
met with this question from the head of HR, “Do you not think we should
trust our employees?” The security leader responded, “I do, and I think we
should have mechanisms in place to defend our trust.” Meeting first with
each partner will allow you to listen to their concerns. Limit the team to
five or six decision makers from key functions. When the team is assembled
start asking the first of the Journalism 101 questions.


Whether a newly appointed security leader or seasoned veteran, the question
at the heart of IP protection is, “What exactly are we protecting?”
Responses provided by security and business leaders to this single question
help measure the need for an Insider Threat initiative or the maturity of
an existing program. Common responses from the security ranks include; “I’m
protecting these buildings”, “I’m protecting this campus”, “I’m protecting
people”.  Even security professionals in large, sophisticated corporations
frequently do not cite, “ideas”, “research”, “technologies”, or “critical
employees”, when asked what they protect. Follow up questions on which
campuses, buildings, or people are more critical than others are sometimes
met with silence or criticism that the question implies some employees are
more important than others. One long-tenured security leader responded by
displaying his daily automated reports advising him which doors, hallways
and offices were entered, but, he could neither articulate which company
functions occurred there nor how his data was relevant.

Importantly, your team should pose the “What” question to key business
leaders including the CEO, General Counsel, CFO, Supply Chain leader,
Research or Engineering executives, Business Development or Sales heads,
and corporate audit manager. Provide context by framing the question as an
attempt to identify the small subset of proprietary information that would
most damage the company if it fell into the wrong hands. Various formulas
and thresholds can be customized to help guide this discussion and quantify
the degree of damage to finances, share price and reputational risk.


Security professionals can only truly protect that which they know is
there. Once CBI is identified, the team must learn where it resides, in
both physical and cyber space. In large companies with thousands of
employees and facilities, this question is more easily asked than answered.
Yet, the answer is vital to learning how your CBI is exposed. One large
company locating its CBI discovered a proprietary formula sitting in an
open folder accessible by its entire employee population. Audit of the
folder revealed that employees in high risk nations had visited the folder
without any valid reason.

When countering the insider threat, the physical and the cyber security of
CBI must be viewed as one holistic endeavor. The behavior of data and the
behavior of humans are inextricably linked and the partnership between IT
Risk and Physical Security should be seamless. Once aware that specific
buildings, offices, or laboratories contain CBI, protocols and checklists
for enhanced safeguarding can be drafted. This initiative counters more
than just the internal threat. Upon learning the location of a sensitive
manufacturing process one company found the process was part of a public
tour route.


The seemingly simple “Who” question can generate more consternation than
the previous two questions combined, particularly from your partners in HR
and Labor & Employment Law.  While answering the first two questions is
often labor intensive, this last query raises issues of policy,
organizational culture, and law. Companies may learn that some CBI is
assigned to contractors, and the team must wrestle with the issue of
whether people with less allegiance, and more transient tenure, should be
entrusted with the firm’s future. Yet, identifying employees who require
access to CBI is easy compared to planning how to relate to them. This
discussion should include: standards for employees to receive and maintain
CBI access; policies on travel and device security; enhanced computer
monitoring; and, governance protocols for investigative response to
suspicious conduct. Importantly, the approach to such vital and often
singularly knowledgeable employees should be an inclusive one that views
them as special stewards with more responsibility than the average employee.

If approached carelessly, insider threat plans can breed mistrust, alienate
key employees, erode company culture, and even violate labor or privacy
laws. But, a quality program can be a leader’s most important legacy,
reaping tangible dividends in loss prevented, jobs saved, and relationships
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180123/df518dce/attachment.html>

More information about the BreachExchange mailing list