By now, you are familiar with the concept of insider threat and the ways in which the methodology outlined in Conforming Change 2 can help identify and mitigate malicious attacks against your company's assets. It goes without saying that blatant disregard for security protocol and obvious signs of employee disgruntlement should be documented and investigated immediately. But in order to reach full compliance (and maximum effectiveness), you can’t stop there! Let’s take a look at section 3-104.b of Industrial Security Letter (ISL) 2016-02:
"Contractors must have a system or process to identify patterns of negligence or carelessness in handling classified information to ensure reporting in accordance with the requirements outlined NISPOM 1-304c, even for incidents that do not initially warrant a culpability or individual incident report.”
We’ve already established that malicious intent isn’t the only force behind insider threat: negligence and carelessness can be just as destructive. Conforming change 2 specifically deals with this in the context of handling classified information, but it is in your company's best interest to expand this concept to cover all information assets that are valuable to your company, including intellectual property, proprietary information, financial information, and employee records.
Simple acts such as poor password management, loss of devices (remember this?), or neglecting to properly update your security software can leave your most valuable information vulnerable to compromise. Many workplaces even implement a clean desk policy in order to reduce the risk of sensitive information laying out in the open. These seemingly insignificant acts are really what this section of the policy aims to address: things that weren’t done by someone harboring malicious intent, but were the result of absent-mindedness, lack of training, or apathy. These incidents should be treated as an opportunity to bring the employee's attention to the behavior and correct it, so it doesn't happen again with potentially catastrophic results.
“Wait a minute,” you might be thinking; “So now I’m expected to file more reports on things that don’t even constitute an insider threat? What’s the point in that?!” We promise it’s not as bad as it sounds! The important thing here is not to focus on how to tick that box on your checklist. Rather, focus on how you can effectively collect the information you’ll need in order to identify a pattern. If a certain employee is reported multiple times for negligence or carelessness, you’ll want to know about it! Documentation and reporting simply help keep you organized so that nothing can slip through the cracks.
You likely already have the tools and systems to make this work. You don’t need to invest in a massive overhaul and retrain your employees. Start with what you already have. It can be as simple as an excel spreadsheet, an anonymous form that employees can submit to you online, or just making yourself available for a one-on-one in your office. Otherwise, you risk Anarchy in the UK.