There’s been increased attention in the government and the private sector about the insider threat since the disclosures of classified information by Edward Snowden in 2013. The insider threat has historically been viewed from an espionage perspective, especially by the Department of Justice and the FBI. This was true during the Cold War as intelligence agencies on both sides sought to recruit an “insider” to provide classified military and government secrets. My first experience with the insider threat goes back to my days as a counterintelligence agent with the Air Force Office of Special Investigations (OSI). OSI sought to identify anyone in the Air Force stealing and selling classified and sensitive information to a foreign intelligence service. The world has changed much since then, and so has our perspective of the insider threat.
Different Kind of Threat
Although the insider threat historically was seen as a malicious threat coming from someone within the organization with inside information and data, the threat has evolved along with the liabilities and other adverse consequences. In addition to targeting trade secrets and other proprietary information, the insider threat may manifest itself in a number of ways. The shootings in San Bernardinio last December were a tragic and unique hybrid; an insider threat of targeted violence that manifested itself in a terrorist attack, San Bernardino Attack.
Insider threats may also present themselves as internal frauds, sabotage, targeted violence, executive misconduct, or economic espionage. It’s important an organization’s key stakeholders begin the dialogue about the insider threat and ask:
- Have we assimilated the insider threat into our risk management strategy?
- Where are we vulnerable?
- Who are the key stakeholders?
- What’s the impact to our people, assets, and reputation?
- What protective and contingent measures are reasonable?
- How do we employ a strategic and sustainable approach?
Insider Threat Drivers
Deloitte LLP did a very nice job in a white paper published in 2014 summarizing three primary insider threat drivers; malicious intent; complacency; and ignorance. To these I would add a fourth – organizational blind spots. All of these contribute, deliberately or inadvertently, in allowing the insider threat to manifest itself in an organization and put employees, assets, and an organization’s reputation at risk.
The employee(s) with malicious intent are the most difficult to defend against. The reasons behind their malicious actions may be many and are often hidden. Their motives may be the result of a real or perceived grievance. Some insiders are skilled at the art of manipulation and find themselves in positions of trust. It is in these positions of trust where the insider threat can do the most damage.
Another driver feeding the the insider threat is complacency. How often do we ignore or shortcut protocols and procedures designed to protect the organization, all the while thinking “this stuff never happens here”? One of my peers worked for a Fortune 500 company without a workplace violence prevention program. Despite the efforts of him and others in the organization, there was little support for their initiative. Only after a catastrophic workplace shooting was the executive complacency overcome.
Deloitte also notes ignorance drives the insider threat. This ignorance is not because employees cannot learn and retain. Rather, there is little organization effort to inform and educate on sound risk based policies and protocols to deter or detect the insider threat.
Finally, organizational Blind Spots also contribute to the insider threat, specifically that of cultural ambivalence. Organizations may have a culture that does not embrace such discussions because they are difficult or unpleasant. Some business leaders may be reluctant to address issues outside their comfort zone. If they are not acknowledged and addressed, such as the insider threat, they remain a risk to the organization.
Because the insider threat presents risks across an organization; and because the insider threat is influenced by organizational, behavioral, and personal factors; nothing short of a strategic, holistic, team approach will work. Organizations utilizing enterprise risk management (ERM) principles should make this an element of their operational risk efforts. Risk councils or similar workgroups are best suited to address the insider threat in their organization. Many resources and tools are already available to assess, identify, counter, and mitigate the insider threat. This risk is spread along a continuum where the probability must be weighed against the severity, but it cannot ignored.
About the Author
Jim Dale is the owner and principal of Seven Citadels Consulting. Jim brings to clients more than 40 years of security and risk experience in both the private and public sectors. Formerly the Chief Security Officer (CSO) for three Fortune 500 companies, Jim is a graduate of the University of Nebraska at Omaha and was a career officer, commander, and special agent with the Air Force Office of Special Investigations. He is board certified in security management as a Certified Protection Professional (CPP), a trained threat manager and member of the Association of Threat Assessment Professionals (ATAP). He is also a member of the International Association of Professional Security Consultants (IAPSC).