U.S. orders federal contractors to use awareness training to tackle insider threats
While mandate isn’t perfect, companies should use it as a starting point to mitigate cyber risks
By Thomas Jones, Special to ThirdCertainty
As we have seen in the headlines, insider threats are a constant challenge for government agencies. But the problem comes with one silver lining. Each time a successful insider threat strikes, it pushes agencies to bolster their cybersecurity programs. The National Industrial Security Program Operating Manual (NISPOM) Change 2 is an example of just that.
Released by the U.S. Department of Defense in May 2016, NISPOM Change 2 mandates federal contractors implement an insider threat program. One key requirement went into effect on May 31 this year, mandating contractors hold insider threat employee awareness training for all cleared employees before being granted access to classified information and annually thereafter.
Related video: Why all companies should embrace NIST best practices
The requirement is a positive step in tackling the insider threat problem. The training includes a section on consequences for breaking the rules, using real-world examples of insiders who have faced prison time and hefty fines such as Pvt. Bradley Manning being convicted and sentenced to serve a 35-year sentence at the maximum-security U.S. Disciplinary Barracks at Fort Leavenworth, Kansas.
Recognizing potential threats
It also educates employees on common behavior patterns that may indicate an insider is about to turn, such as frequent trips outside the United States or working strange hours. Finally, the training explains who to contact if an employee identifies a potential insider threat.
One drawback to the mandate is that it requires contractors to conduct training only once a year. In addition to spending 25-plus years working in the federal government, I also majored in psychology at Towson University in Maryland. One lesson I learned is that if you want the human mind to retain a lot of information, it must be broken down into smaller chunks and exposed to the data frequently.
Security awareness training of any kind should include 7- to 10-minute sessions that focus on specific policies violated. For example, if a contract employee innocently sent private government information to his personal email account, he should go through a training session that specifically addresses why that action is risky and against policy. Based on data from our Risk Fabric analytics software, when employees are called out by their employer, close to 80 percent make changes so that they are more security-conscience.
Quarterly training is optimal
The requirement should also mandate insider threat awareness training take place quarterly. Employees should take a test asking basic insider threat-related questions. They should then go through training on the responses they answered incorrectly.
While insider threat awareness training is key, effective insider threat programs encompass much more. Government agencies manage hundreds to thousands of contractors at once, many of which access highly sensitive information. With limited resources, it’s tough to keep up with what each contractor is doing on the network. Again, break it up into smaller chunks.
Agencies should first identify their crown jewels, the assets that if compromised would hurt the mission the most. They then should make sure any contractors interacting with those crown jewels are monitored at all times, and threats and vulnerabilities that put those assets at risk are mitigated immediately. Coupled with continuous training, that kind of risk-based approach should help turn the insider threat tide, enabling agencies to catch and stop risky users before it’s too late.
More stories related to insider threats:
Sophisticated email monitoring can help companies detect insider threats
Inattentive employees pose major insider threat
JP Morgan Chase caper offers frank lessons about insider theft