One of the results of Edward Snowden's data leak is that companies are now concerned about the insider threat more than they ever were before. He demonstrates that a single person inside an organization can devastate the organization. While technology should have caught Snowden, there is also the realization that his coworkers and managers should have noticed indications of unusual activities.
The question then becomes how do you train employees to tactfully recognize the signs of a malicious insider, without creating widespread distrust within an organization. Back when I worked at NSA, one of my coworkers pointed out two documents that both describe a fellow employee who was 1) always interested in what their coworkers are doing, 2) volunteers for extra assignments, 3) always works late, and 4) never takes a vacation. One of the documents was from human resources on how to get promoted. The other was from the security department describing how to tell if your coworker is a spy.
Clearly NSA employees failed to determine which side of the spectrum Snowden fell on, while employees at his past employer, the CIA, accurately determined his predisposition to expose classified information. Snowden demonstrates that even within organizations that should know better, detecting a malicious insider is hit or miss. How then is an organization outside of the Intelligence Community supposed to make their employees aware of the concern, especially without inspiring a witchhunt?
The problem is real. Malicious insiders have wreaked havoc in organizations of all types. While the IT world focuses on stories of rogue administrators, insiders in all roles carry out thefts and other malicious actions. While some wrongdoers are very clever and are able to cover their actions very well, the reality is that just about all malicious insiders show indications of their intent. This is relevant to awareness programs as their coworkers are in the best position to see those indications.
Balancing concerns of tact and awareness is delicate, but it must be done to maintain order. Generally, there are three requirements for awareness to be effective: 1) Understanding of the problem, 2) Knowledge of what actions to take, and 3) Motivation to take the appropriate actions. Generally understanding the problem should create motivation, but an effective awareness program must specifically ensure that it addresses both concerns. You can be aware an issue exists, while not being motivated to do anything about it.
The easy part of addressing the insider threat is that there are now many examples to help get the message across. People like Snowden and Chelsea Manning are clear examples that it only takes one person to cause a lot of damage. While these individuals have become household names, it is better to use examples from your own company or industry. While some companies understandably do not like to highlight their own incidents, they can anonymize the cases. The message is actually simple, insiders are a big threat and do not ignore signs of questionable behaviors.
The message tagline could be the organizational equivalent of, “If you see something, say something.” The message should highlight to be on the lookout for violations of policies and procedures. It is also critical to remind employees that it is people, just like themselves, who have stopped major insider crimes.
You must however avoid manifesting a modern day Salem. The focus of your guidance should be telling employees to look for behaviors that are clear violations of policies and procedures. Examples include observing people looking through other people’s desks, asking for passwords, being in areas that they do not belong, and attempting to access other people’s computer accounts. There are also financial and other wrongdoings related to job roles and industry sector.
A more delicate, but just as important, aspect of awareness is for people to be comfortable reporting uncomfortable feelings. This is admittedly vague, but uncomfortable feelings have resulted in catching malicious insiders in a variety of incidents. In one case we are personally familiar with, an employee felt uncomfortable that one of her coworkers was speaking Chinese a lot on the telephone at work, and they did not work with any Chinese people. The woman reported the incident and an FBI investigation uncovered that the employee in question was funneling information to Chinese intelligence operatives.
Everyone violates policies and procedures at some point in time, without malicious intent. However, people need to know that some of the most harmful incidents were stopped because of observant employees. Again though, the focus is on reporting of incidents, and not of the individuals committing the violations. This is important for a wide variety of reasons.
The action that employees need to take is to simply report the questionable incidents to Human Resources, their management or the security team. However, you need to remember to allow for anonymous reporting and have strong measures in place to protect the identity of the employee reporting the incident. Reporting another employee can clearly result in negative consequences for all involved. The anonymity is critical even if it potentially means that it is impossible to gather criminal evidence. The goal is to detect incidents and stop the loss. Most organizations should already have an established incident reporting structure. Those that do not should consult with the legal and human resources departments to create one.
Clearly, when trying to motivate employees to inform the organization about the violations of other employees, you should get the Human Resources and Legal departments involved in at least approving the awareness materials that are distributed. They very likely will be able to provide guidance on how to best implement other aspects of the program as well.
Snowden's activities triggered an interest in organizations to examine what technological controls that they can put in place to stop their own Snowden. Yet much like NSA realized that Snowden’s coworkers should have detected his crimes, all organizations must proactively strengthen their non-technical security measures, including especially awareness. Snowden’s coworkers should have been able to more effectively detect his actions than any technical countermeasure could have. Therefore, companies that are truly interested in preventing the insider threat should focus on making their employees the primary detectors of insider abuse.
The insider threat is too important a subject to shy away from, no matter how sensitive the implications may be. Unfortunately, history has shown us that the risk is too great.
Ira Winkler, CISSP and Samantha Manke can be contacted at www.securementem.com.