For companies and other organizations, sometimes the biggest threat comes from within. An "insider" is generally someone with intimate knowledge of a facility being targeted, as well as natural covers for status and action that an "outsider" would lack. But beyond knowing the ins and outs of a facility and having a reason to be there, an insider can also develop a detailed understanding of internal security programs, policies and procedures to help them plan and conduct their crime.
At Stratfor, we think about the insider threat a lot as our team frequently analyzes incidents pertaining to our clients and subscribers. Insiders can pose an array of threats depending on the nature of the targeted organization. In other words, an elementary school will be more concerned about protecting the physical safety of children than, say, a manufacturing company. Thus, it is important to ensure that security programs protect against the full scope of threats most relevant to specific institutions. But before being able to design the types of comprehensive efforts needed to do so, it's crucial to first have a good grasp of what the actual insider threat is.
One of the foundational precepts of Stratfor's approach to understanding attacks, crimes and corporate espionage is that these events do not arise out of a vacuum. Rather, they are the result of a careful and intentional planning process that can be discerned and detected — and can thus be interrupted. No different is the insider threat, which emanates from people who have or (or once had) access to an organization that affords them with an understanding of the target's security programs, policies and procedures that an outsider lacks.
Portrait of an Insider
Anyone who has an understanding of the inner workings of a certain organization can feasibly cause harm to an organization, whether it's intentional, through error or by negligence. Current employees can become malicious as a result of some real or perceived grievance, or after being recruited by an external threat actor. An engineer who worked at Apple's autonomous vehicle program, for example, leveraged his detailed knowledge of the company's new security procedures to share proprietary information with a Chinese competitor. Following a previous security breach, Apple had made it impossible to download sensitive files to a thumb drive. But to defeat this new restriction, the employee simply used his phone to take photos of documents on his computer screen.
Other insiders can become threats upon or after losing their job, as evidenced by the Virginia Beach shooter, or the two former CIA officers who were recently convicted for spying on China's behalf. The recent Capital One hack — in which an ex-Amazon employee gained access to more than 100 million credit card applications — shows how even former employees of a business partner can still cause significant harm by utilizing the unique knowledge gained while working with another organization. Contractors (like Edward Snowden) and service providers (like members of a janitorial staff) also pose a risk.
Some insiders can even seek out employment at a targeted organization with the sole intent of becoming a mole to cause some sort of harm. There are some very good screening and vetting tools available to protect against hiring such applicants. But employees and their circumstances change over time. Mental illness, debt, traumatic life experiences and addiction can have a dramatic effect on a person's behavior and character. Thus, vetting must not be viewed as something done only when a person is hired, but rather as an ongoing process.
Protecting Against Internal Threats
Many organizations also focus their insider threat programs on a narrow area, such as workplace violence or industrial espionage and protecting intellectual property. However, a malicious insider can pose a number of other threats that must be guarded against. A growing number of information technology companies, for example, are developing artificial intelligence tools to help do just that. These programs are often designed to monitor the information that employees access as well as what they're doing with it, to make note of any anomalous behavior. But such programs are focused only on certain risks like intellectual property theft, and thus do not help guard against workplace violence incidents or the many other non-cyber threats that insiders pose.
The intimate knowledge that insiders have of an organization's security programs, policies and procedures put them in a position to cause significant damage.
Chief among these, obviously, is the threat of physical harm. This includes workplace violence (such as shootings or bombings) but can also include things like sexual assault — especially at places in which children can be victimized, such as schools, youth sports organizations and houses of worship. Insiders can also damage facilities, business operations and assets (such as computer systems), and can steal items of value (such as data and intellectual property) as well — whether through diversion, fraud, embezzlement or outright theft.
Thus, in developing a program to effectively monitor and counter insider threats, organizational leadership must first clearly identify the most critical assets to protect. Hopefully, all organizations have a primary focus on safeguarding human life. But after that, priorities will vary depending on the type of institution or business. Compared with a tech company, for example, a school or a house of worship would prioritize safeguarding kids (although child safety is becoming increasingly important in the business world, as more companies offer on-site daycare) over defending against intellectual property theft.
A True Team Effort
The wide array of potential threats is why insider threat programs must also be cross-functional and include not just information systems and security personnel, but also protective intelligence, human resources and corporate legal. Because while insiders do have some significant advantages over outside attackers by understanding the inner workings of an organization, they also have a big disadvantage in that their frequent contact with colleagues provides many opportunities to be observed (and caught) as they progress through their attack cycle. In the Apple case, for instance, a co-worker spotted the suspect taking photos of his computer screen and reported his behavior.
With this in mind, the workforce-at-large is generally going to have far more contact with a threat actor than will corporate security, human resources or, arguably, supervisors. This is why it's critical that all employees be educated not only on the types of behaviors that threat actors can employ but also be clearly instructed on who to report any suspicious behavior to while being encouraged and empowered to do so. Thus, an effective insider threat program will also contain a training component to educate an organization's entire workforce — from the receptionist to the CEO. Open and ongoing communication between whoever's in charge of combating the insider threat and the rest of the organization is also crucial and must function both ways.
An effective insider threat program will contain a training component to educate an organization's entire workforce — from the receptionist to the CEO — on what to look out for.
When employees are provided with proper training and receive encouragement to practice appropriate situational awareness, they can work together with security, human resources, legal and management to form a robust network of tripwires that can help protect against the many shapes and forms of insider threats. And while existing methods of monitoring current employees' activity or vetting job applicants are useful, they're not silver bullets that will protect organizations against all insider threats, and should thus instead be implemented as part of a wider security effort that every staff member can take ownership of.