Neutralizing insider threats is vital to good data security

Monitoring of assets, continuous employee training make businesses savvy, not sorry

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As we have seen in the head­lines, insid­er threats are a con­stant chal­lenge for gov­ern­ment agen­cies. But the prob­lem comes with one sil­ver lin­ing. Each time a suc­cess­ful insid­er threat strikes, it push­es agen­cies to bol­ster their cyber­se­cu­ri­ty programs.

The Nation­al Indus­tri­al Secu­ri­ty Pro­gram Oper­at­ing Man­u­al (NISPOM) Change 2 is an exam­ple of just that. Released by the U.S. Depart­ment of Defense in May 2016, NISPOM Change 2 man­dates fed­er­al con­trac­tors imple­ment an insid­er threat pro­gram. One key require­ment went into effect on May 31, man­dat­ing con­trac­tors hold insid­er threat employ­ee aware­ness train­ing for all cleared employ­ees before being grant­ed access to clas­si­fied infor­ma­tion and annu­al­ly thereafter.

Con­se­quences, rewards

The require­ment is a pos­i­tive step in tack­ling the insid­er threat prob­lem. The train­ing includes a sec­tion on con­se­quences for break­ing the rules, using real world exam­ples of insid­ers who have faced prison time and hefty fines, such as Pvt. Bradley Man­ning being con­vict­ed and sen­tenced to serve a 35-year sen­tence at the max­i­mum-secu­ri­ty U.S. Dis­ci­pli­nary Bar­racks at Fort Leavenworth.

Relat­ed info­graph­ic: How train­ing can trans­late into a ‘human firewall’

It also edu­cates employ­ees on com­mon behav­ior pat­terns that may indi­cate an insid­er is about to turn, such as fre­quent trips out­side the Unit­ed States or work­ing strange hours. Final­ly, the train­ing explains who to con­tact if an employ­ee iden­ti­fies a poten­tial insid­er threat.

One draw­back to the man­date is that it requires con­trac­tors to con­duct train­ing only once a year. In addi­tion to spend­ing 25-plus years work­ing in the fed­er­al gov­ern­ment, I also majored in psy­chol­o­gy at Tow­son Uni­ver­si­ty. One les­son I learned is that if you want the human mind to retain a lot of infor­ma­tion, it must be bro­ken down into small­er chunks and exposed to the data fre­quent­ly. Secu­ri­ty aware­ness train­ing of any kind should include 7- to 10-minute ses­sions that focus on spe­cif­ic poli­cies violated.

Test employ­ees’ awareness

For exam­ple, if a con­tract employ­ee inno­cent­ly sent pri­vate gov­ern­ment infor­ma­tion to his per­son­al email account, he should go through a train­ing ses­sion that specif­i­cal­ly address­es why that action is risky and against pol­i­cy. Based on data from our Risk Fab­ric ana­lyt­ics soft­ware, when employ­ees are called out by their employ­er, close to 80 per­cent make changes so that they are more security-conscious.

The require­ment also should man­date insid­er threat aware­ness train­ing take place quar­ter­ly. Employ­ees should take a test ask­ing basic insid­er threat-relat­ed ques­tions. They should then go through train­ing on the respons­es they answered incorrectly.

Make it manageable

While insid­er threat aware­ness train­ing is key, effec­tive insid­er threat pro­grams encom­pass much more. Gov­ern­ment agen­cies man­age hun­dreds to thou­sands of con­trac­tors at once, many of which access high­ly sen­si­tive infor­ma­tion. With lim­it­ed resources, it’s tough to keep up with what each con­trac­tor is doing on the net­work. Again, break it up into small­er chunks.

Agen­cies should first iden­ti­fy their crown jew­els, the assets that if com­pro­mised would hurt the mis­sion the most. They then should make sure any con­trac­tors inter­act­ing with those crown jew­els are mon­i­tored at all times, and threats and vul­ner­a­bil­i­ties that put those assets at risk are mit­i­gat­ed imme­di­ate­ly. Cou­pled with con­tin­u­ous train­ing, that kind of risk-based approach should help turn the insid­er threat tide, enabling agen­cies to catch and stop risky users before it’s too late.