Insider Threat policy requirements for Government organizations are well known (see, for example, Executive Order 13587 and the 2012 National Insider Threat Policy), but policies for companies that do business with the government are still being drafted. This means there is a lot of uncertainty about future compliance requirements for the 20,000 or so contracting companies that work with the government.
So what do today’s contractors in the federal space need to know about insider threats?
NISPOM, Compliance, and Threat
The National Industrial Security Program Operating Manual (NISPOM) establishes guidelines for how companies that contract with the government must conduct their business with respect to security issues. While compliance with NISPOM is essential, the fact is, it’s often not enough.
The NISPOM is in the process of being updated to include insider threat guidance. It was a much-needed step, but the draft requirements closely mirror the 2012 National Insider Threat Policy and Minimum Standards, which are vague and subject to interpretation.
Understandably, many companies are concerned about how they’re going to implement NISPOM requirements. Some firms face a great deal of exposure to risk, and others don't – so what level of compliance should they adhere to? Companies are left to assess their own degrees of risk, and the damages they might face in the event of insider action.
Thinking About Damage
In any conversation about insider threat, context is critical. One piece of context is that workforces are changing. Millennials are taking on more and more roles, and they tend not to stay very long at a given job. About fifty percent of the time, when professionals leave their jobs they take what companies would consider intellectual property.
In this environment, the potential for adverse insider activity is considerable – particularly when the knowledge or intellectual property in question is highly sensitive. Indeed, many people don’t realize how commonplace these incidents are.
Why? Many companies don’t like to talk about their insider attack damages. These incidents are embarrassing – organizations believe that they may mar their brands and cause contracts to be lost. If they aren’t legally obligated to report the attack (due to a data breach or some other circumstance), many companies would rather not admit that an attack has occurred.
This silence about insider attacks leads to a culture of misunderstanding about insider threats and what causes them. And because organizations don’t recognize the causes of incidents, they often don’t know how to stop them.
Some leakages of sensitive information by insiders are genuinely inadvertent, and these can be precluded through robust and comprehensive training.
The other type of attack, of course, is deliberate and often malicious. These may be incidents of fraud, intellectual property theft, or the leakage of classified information from the government through a private contractor.
If you search for insider threat solutions, you will find a great number of network monitoring solutions offered by cyber security firms. These can be useful tools, but they represent a very expensive technological solution to a problem that is fundamentally rooted in human behavior.
More challenging than tracking network activity is tracking behaviors and stressors. But this is also more essential. If an individual really wants to steal information from your organization, they will find a way of doing that regardless of network controls. The key, then, is to understand why they would want to do so and to hire, train, and track behavior accordingly.
None of these solutions are simple or easy, but by understanding the true nature of the problem and the most appropriate types of solutions, commercial organizations can equip themselves to move forward confidently.