Companies Must Invest in More Robust Insider Threat Programs

| Chuck Alsup
Chuck Alsup
President, Intelligence and National Security Alliance (INSA)
Sandy MacIsaac
Former Executive Assistant Director, National Security at the Naval Criminal Investigative Service (NCIS)

The most infamous spies, moles, and saboteurs have come from intelligence and military organizations.  However, recent allegations made against an employee by Tesla CEO Elon Musk, serve as a stark reminder that private companies also find themselves vulnerable to potential malicious insiders capable of  causing millions of dollars in damage by stealing intellectual property, damaging facilities or leaking information that can embarrass the organization.

Many private companies that do classified work for government agencies have developed comprehensive programs to identify and mitigate insider threats due to changes in regulations governing such sensitive work.  Beyond these firms, however, corporate leaders face a balancing act of security and risk as they determine the right balance of resources to devote to protect themselves, their customers, and their shareholders.

In public comments and internal communications over the past week, Musk alleged that at least one Tesla employee had stolen company secrets, and shared that information with third parties.  The company filed a lawsuit against the employee, who says he is the victim of backlash and calling himself a whistleblower – on June 20 for stealing confidential data and hacking manufacturing operating systems.  Three days earlier, in an email sent to all Tesla employees, Musk asserted that a disgruntled employee who had not received a promotion engaged in “extensive and damaging sabotage” by modifying critical computer code and sending sensitive proprietary information to outsiders.  Hours later, Musk sent another all-hands email about a fire on a production line.  Calling it “another strange incident that was hard to explain,” Musk asked employees to be alert to suspicious activities, writing, “only the paranoid survive.”

Paranoia, unfortunately, is not a particularly effective strategy for identifying malicious insiders – particularly given the Ponemon Institute finding that 59 percent of departing employees take company data with them when leaving their employers and that 24 percent had access to their employers’ computer systems after quitting.  While most companies, like Tesla, do have robust security practices, the Tesla incident serves as a strong reminder that executives need to take a strategic, long-term approach to corporate security that includes protecting against cyberattack, physical attacks, and insider threats.

Corporate leaders’ focus on reducing short-term overhead costs make them reluctant to invest in insider security programs whose return on investment – the prevention of damage – is difficult to calculate.  But an insider threat program must be seen as a long-term investment in protecting company assets. Just as an insurance policy hedges against the risk of incurring far larger costs, insider threat programs are a bargain compared to the damage that a disgruntled or careless employee could cause to a company’s reputation or bottom line.

Organizations’ greatest insider threat concerns include preventing theft of data or intellectual property, fraud, information technology (IT) sabotage and workplace violence – any of which can cause incalculable damage to a company’s brand, R&D investments, and future revenues.  Common pitfalls include addressing such threats in organizational stovepipes – such as facility security, cybersecurity, or human resources – or by focusing on a purely technical fix without considering people-centric solutions.  But by taking a cross-departmental approach and integrating insider threat programs into the fabric of the company, organizations can maintain their competitive edge and address common concerns from all areas of the business.

Effective insider threat programs examine multiple facets of employee conduct, such as network use, performance, and policy compliance.  Managers, working with human resources staff, could flag employees who demonstrate troubling workplace behavior or a failure to follow company policies. Data monitoring tools can establish baseline network behavior patterns for each employee, and security staff with effective monitoring and data analytics tools could flag anomalous conduct or detect atypical amounts of data flowing out of the company’s networks from a particular user. Company-wide efforts raise the likelihood that malicious activity could be identified before an employee sabotages a project or walks out the door with valuable corporate secrets.

Employees under significant stress have the potential to cause physical harm as well as damage to networks or intellectual property.  Workplace violence – another form of insider threat – not only presents a serious safety risk, but negatively affects employee morale and performance, erodes public confidence, and potentially leads to costly litigation.  It is highly unusual for employees to “crack” suddenly; typically, research shows, they exhibit a series of behaviors over time.  These patterns can be identified through a strong insider threat program, as they are observable in the employee’s network usage, as well as by co-workers and supervisors who have been trained to identify signs of concerning conduct.

Although many companies will seek to terminate an employee engaging in concerning behaviors, other options exist for managing at-risk employees who are identified early through continuous evaluation and co-worker input.  For example, a firm can offer counseling resources or move the staff member to a less stressful position that does not involve access to sensitive information.  An insider threat program can thus assist troubled employees while protecting the company’s people, facilities, and information.

Protecting a company’s assets from malicious insiders requires the detection of precursor activities – small transgressions that raise red flags – that manifest themselves before damage occurs. Identifying such signposts requires input from stakeholders throughout the company, including IT, human resources, security and individual employees.

Paranoia about spies and saboteurs will not defend a company from harm.  A comprehensive insider threat program is critical to protecting a corporation’s people, facilities, networks, and ideas.  Any company operating without an insider threat program is inviting disaster.

The Author is Chuck Alsup

Chuck Alsup is president of the Intelligence and National Security Alliance (INSA), a non-profit association that fosters public-private collaboration on intelligence and national security issues.

The Coauthor is Sandy MacIsaac

Sandy MacIsaac, the former Executive Assistant Director for National Security at the Naval Criminal Investigative Service (NCIS), is Chair of INSA’s Insider Threat Subcommittee.

Learn more about The Cipher Brief's Network here.

CLICK TO ADD YOUR POINT OF VIEW

Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *

2 Replies to “Companies Must Invest in More Robust Insider Threat Programs”
  1. Agreed, and it gets worse, a lot worse. Working for a 27b corporation, the FBI came in for training and their IP theft mitigation was on target, but missed the glowing bullseye. Vulnerabilities around conference calling; multiple use access codes and numbers.