The CEO of the XYZ Company, which relies on intellectual property for its corporate success, is frightened by increasing cyber attacks against major corporations like Sony and Target. He/She invests millions to enhance the company’s information security by hiring experts and installing the most sophisticated defenses on the market. One evening, however, the night shift janitor, who has no access to the company's computer systems, filches crumpled papers with sensitive data from the office trash and sells them to a competitor.
This hypothetical example is based on real events. In its Guide to Insider Threats, Carnegie Mellon’s Software Engineering Institute cites a case involving a bank janitor, who searched through trashcans for personal information about customers and used the information to commit identity theft. In another case, a Corning Glass employee stole confidential blueprints regarding the company’s flat panel TVs from a hopper with papers to be destroyed and sold the materials to a foreign competitor. The culprits in both these cases didn't need a single keystroke to commit corporate espionage.
Cyber espionage is obviously a serious threat that can't be ignored. Annual losses are now estimated at $300 billion, almost five times the physical asset loss and insurance costs from the 9/11 attacks, and computer intrusions are clearly increasing in volume and sophistication. As a result, companies naturally invest heavily in cyber security. That investment, however, shouldn’t detract from their defenses against security minefields unrelated to computer networks. As our janitor examples illustrate, cyber intrusion is only one of many methods that foreign intelligence services, criminals, and competitors use to steal corporate secrets.
The spy inside is one of the most effective methods—he or she is knowledgeable about the company’s security practices and vulnerabilities, and can thus bypass barriers designed to protect against theft of trade secrets. Computer firewalls and intrusion detection systems won’t neutralize these spies from within. Besides that, as more sophisticated cyber defenses become available, these bad actors may increasingly resort to the old fashioned recruitment of insider spies to penetrate their targets.
Foreign intelligence services are particularly adept at targeting corporate employees. They have arranged seemingly casual contacts at conferences and trade shows, and posted false hiring ads to conduct interviews designed to elicit information and ultimately recruit employees of a target company. According to the Carnegie Mellon study, half of the insiders who stole corporate information for financial gain were recruited by outsiders, including foreign intelligence services and organized crime syndicates.
Insider spies also play a key role in facilitating cyberespionage. While many computer attacks are launched remotely, insider spies can easily download onto flash drives proprietary information, customer databases, and marketing strategies. Disgruntled systems administrators pose a particular threat in this regard and have used their special access and technical expertise to install malware, create backdoors, and write malicious script to steal information or disrupt network operations.
Many insider attacks could have been easily prevented with proper security measures that are simple to develop and relatively inexpensive. Among the most significant is employee awareness training. U.S. Government national security agencies, which have learned their own painful lessons from traitorous insiders over the years, believe strongly that awareness training plays a vital role in sensitizing employees to the threats and tactics used by bad actors and the behavioral indicators that often precede an employee's plunge into espionage.
Besides awareness training, many of the other measures simply require time, ongoing attention, and the full support of company executives. A corporate security policy is critical and should be read and acknowledged by all employees. Indicators of personal problems that could lead to espionage, such as financial problems, alcohol consumption, and job dissatisfaction, are often noticed first by other employees. Companies must establish a fair and strictly confidential program for their employees to report suspicious incidents and behavior. Over 60 percent of employees who left a company disgruntled or were dismissed all exhibited warning signs that went unnoticed and unreported. Terminations and layoffs of employees also entail risks that can be mitigated with proper exit and transition programs. The establishment of an employee assistance program can also help personnel experiencing life-changing personal problems, whether marital, financial, or psychological, before they seek a more dangerous solution.
Companies should also foster contacts with local law enforcement and especially with the FBI, which fosters significant security cooperation with the private sector through its Counterintelligence Strategic Partnership program. Finally, any effective insider threat program requires sharing of information among all relevant company departments—internal stovepipes, for example, often leave company security officials unaware of suspicious behavioral indicators known to the human resources department and, as a result, the spy operates with impunity.
Corporate security professionals have not ignored the insider threat but, according to a survey by the Sans Institute, one third of U.S. corporations admitted they still have inadequate systems in place to protect against it. On the government side, a White House executive order in 2011 mandated the development of insider threat programs in all agencies to protect classified information. As a result of the Snowden debacle, the program received new impetus, tantamount to closing the proverbial barn door after the horse was gone. Considering the increasing insider threat, companies should start securing all their barn doors, not just their computer systems, before it’s too late.
