Vantage Point: Build, Review, and Strengthen Your Insider Threat Program for National Insider Threat

Did you know September is also National Insider Threat Month? We read headlines almost daily about the damaging affects malicious insiders have on our businesses, organization or national security. Headlines like, Employee Passes Secret Information to Competitors, Data Breach Carried Out by a Single Insider, Disgruntled Employee Changes Code, Exfiltrates Data and Foreign National Business Partners Steal Critical Software Program.

As InfraGardNCR members, it’s likely you play a key role in protecting your company or organization from threats and September – National Insider Threat Awareness Month – is the perfect time to review your internal detection, deterrence and mitigations strategies and evaluate new approaches to reduce the risk of damage to your organization.

According to the National Insider Threat Task Force (NITTF) “an insider is any person with authorized access to an organization’s resources to include personnel, facilities, information, equipment, networks, or systems.” The NITTF defines the insider threat as “the risk an insider will use their authorized access, wittingly or unwittingly, to do harm to their organization. This can include theft of proprietary information and technology; damage to company facilities, systems or equipment; actual or threatened harm to employees; or other actions that would prevent the company from carrying out its normal business practice.”

If you’re in the process of building or perhaps strengthening an existing program within your organization, the NITTF has an excellent, publicly available guide titled, Protect Your Organization for the Inside Out. This guide details a series of low-cost steps based on best practices to help a business or organization of any size get started building or improving their existing program. The nine fundamental steps outlined in the guide are as follows:

1. Decide who should be engaged - Identifying a single senior individual in your organization responsible for supervising the effort along with individuals from key areas of your enterprise including human resources, security, IT, training, and legal, as well as front line managers or supervisors.

2. Determine what matters most to your organization - Identify your “crown jewels” of your organization. This could include products, formulas, manufacturing techniques, software, algorithms, and customer information. These things if stolen or destroyed could significantly harm, cripple, or ruin your organization.

3. Reassess personnel management practices – This step includes reviewing management practices and existing processes for individuals who may be provided access to information, IT systems, and facilities, to include outside consultants, contractors, and business partners. A critical part of this step includes pre-employment background screening and periodic rescreening of your workforce.

4. Develop clear termination procedures - According to a 2018 report published by Carnegie Mellon University Software Engineering Institute titled, Common Sense Guide to Mitigating Insider Threats, Sixth Edition, “malicious insiders conduct illicit activities with 90 days of their termination.”

5. Engage the workforce - Develop a plan to educate the workforce and create a simple widely-know way that employees can report suspicious or concerning behaviors, provide feedback, or convey concerns.

6. Review IT systems for security and vulnerability – This includes implementing policies and technical controls to enforce least privilege access based on need-to-know principles, separation of duties, enhanced monitoring of privileged users, collecting logs and auditing information systems, and implementing a robust back-up and recovery strategy to name a few.

7. Engage your privacy experts – Always seek legal counsel to ensure your policies are consistent with current privacy laws and protect the rights of your workforce.

8. Put information into context - Only you know what is normal for your organization and employees. Putting information into context requires a team effort so be sure to leverage the full team identified in Step 1 to review available information.

9. Test your security posture – Internal and external testing is critical to any security program’s success. Consider regular external penetration tests to expose unknown vulnerabilities, perform tabletop exercises with key stakeholders to rehearse critical response processes, and consider randomly audit important processes like your background screening or employee termination processes to ensure they’re being executed as planned.

This blog post provides InfraGardNCR members a basic framework for building or strengthening their Insider Threat Programs. There are many no-cost resources available to help enhance your program that go into much greater detail and provide strategies to detect, deter or mitigate insider threats. I’ve listed several valuable resources below with hyperlinks to each organization’s insider threat division.

Additional Resources:

Federal Bureau of Investigations (FBI)

The FBI maintains a robust program to help U.S. organizations, including private sector companies, academic institutions, and non-profits, to deter risks from insiders. It also investigates crimes committed by insiders. Local FBI field offices are key points of contact for assistance in developing a mitigation program.

National Counterintelligence and Security Center

The National Counterintelligence and Security Center (NCSC) provides leadership and support to the counterintelligence and security activities of the U.S. Intelligence Community, the U.S. Government, and U.S. private sector.

National Insider Threat Task Force (NIITF)

The National Insider Threat Task Force (NITTF) is an entity created by Executive Order 13587. The NITTF mission is to deter, detect and mitigate actions by employees who may represent a threat to national security by developing a national insider threat program.

Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA)

CISA is the Nation’s risk advisor, working with partners to defend against today’s threats, including insider threats, and collaborating to build more secure and resilient infrastructure for the future.

Defense Counterintelligence and Security Agency (DCSA) Insider Threat Program

The DSCA Insider Threat Program was established to ensure safeguards and resources are in place to provide the agency’s hard-working and dedicated workforce with a safe environment to carry out its important mission.

Carnegie Mellon University Software Engineering Institute, CERT Division

CERT© is a U.S. Government-funded organization located at Carnegie Mellon University that, among other activities, oversees a comprehensive collection of information and resources related to risks from insiders.