RSA Conference 2020 – San Francisco – Every employee has the potential to become an insider threat, whether through accidental or malicious means. Organizations with the right steps in place can both prevent a person from going rogue and detect these threats before it’s too late.
At the US Department of State, everyone who has virtual or physical access to its network, facilities, or information is considered an insider, said Greg Collins, a contractor policy adviser, during an RSA Conference session this week on insider threats. “Anything that they can access and attempt to misuse is an insider threat,” Collins explained.
“It is not just a tech problem, it’s not just a security issue, and it’s not just a personnel issue,” added Jackie Atiles, insider threat program director at the State Department. When an insider threat takes place, businesses can’t go back and change what happened, but they can look back and see the indicators that were available to them in order to prevent future threats.
These markers can be spotted at all stages of the employee cycle, Collins said, a process that typically looks the same for organizations across industries and includes the following steps: hiring, vetting, training, inclusion, support, and security. He and Atiles took an insider threat scenario and viewed it through each step to pinpoint red flags indicating malicious activity.
In their example scenario – which was made up for this presentation but will likely sound familiar to many organizations – they used an employee who sends an email containing sensitive internal data to someone outside the organization. “This keeps me up at night,” Collins said. “This is something you absolutely don’t want to happen.”
But it does happen, and when it does, it’s important to first substitute the individual’s name with a unique identifier. “One thing we really stand behind is trying to prevent reputational harm,” Collins said. If insider activity has occurred but you don’t know if there was malintent, it’s best to keep the individual anonymous so as to not muddy the person’s name. Once the case has been established, you can start to backtrack and determine where, exactly, they went wrong.
In this scenario, the threat has already happened. Instead of starting the investigation process from the hiring phase, Atiles advised starting with security mechanisms in place. “IT is the last line of defense when it comes to information leaving the network,” she explained, and there are several indicators someone might do this before they hit Send. Look for trigger words: an external company name, “attachment,” or “secret.” Ask questions: What was the attachment? Is this something that has regularly occurred? Is there a reason they’re using the word “secret”?
“While security can identify the anomalies through ones and zeroes, the human element can be used to identify what the potential threats are,” Atiles explained.
Taking another step back in the cycle takes you to support, or policies and resources that are in place to ensure employees have support for professional, personal, or financial stress. If an insider accidentally breaches security rules or takes files outside the organization, it could be due to external circumstances causing them to behave differently than usual, Collins noted. By providing support to their employees, company leaders may be able to prevent this activity.
“Managers need to manage; managers need to engage,” Atiles said. “Supervisors are the best defense against insider threat behavior. There is a difference between an introverted employee who wants to alone sometimes and an isolationist who exclusively keeps to themselves all day.
She emphasized the importance of making people feel included. “As people move positions … make sure you’re building an environment that includes people and doesn’t create an insider risk from the start.” Educating managers on team building isn’t just a “feel-good” activity, Atiles noted. Employees who feel included are less likely to become a future security risk.
Employee Vetting and Training
Properly vetting and training employees can help organizations spot threats before it’s too late.
Training can cover a range of different topics, said Collins, listing security awareness, data handling, diversity and equal employment opportunity, performance, and development as examples. You want to make sure employees regularly complete training, especially if they handle information like human resources data, medical records, financial records, and Social Security numbers.
If an employee sends an email with company data outside the organization, consider whether they completed their assigned trainings. Did they take the training? Were they compliant?
Prior to the training stage are the hiring and vetting stages of the employee cycle. “You need to vet your employees from the beginning,” Atiles said. “It’s a disservice to your own organization if you don’t know who you have working for you.”
The vetting process should be uniform, consistent with policies, and approved by general counsel, she said. It may include criminal records, financial reports, background verification, outside associations, open source information, and foreign travel and contacts. Bringing a new person onboard is your initial opportunity to make sure you’re not hiring an insider threat.
A candidate’s resume, interview, and references can be instrumental in gauging their risk. “These are huge chunks of the professional profile that makes up this individual,” she added.
The insider threat can appear in any part of the employee cycle, but by the time the threat takes place, it’s too late to detect it. Taking this structure and putting it around your organization is going to lower that potential of risk, Collins said.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio