The Insider Threat

A layered approach can help mitigate the risks

Deloitte's Federal Government Services study, "Building a Secure Workforce: Guard Against Insider Threat," co-authored by Gelles and David Brant, attempts to recognize commonalities among malicious insiders. The study notes that the insider threat tends to consciously pursue his or her plan against the organization for an extended period of time, and that the intent to harm is often the end-result of problems in the person's life, such as family disputes, emotional instability, financial trouble, health problems or other stressors. It also identifies several traits that have been associated with employees who are potential security risks, including self-centeredness, feeling neglected, a sense of entitlement, passive aggressive behavior and intolerance of criticism.

Park Dietz, M.D., Ph.D., forensic psychiatrist and founder of Threat Assessment Group, adds to the Deloitte findings a trait that is commonly seen both in malicious insiders and in perpetrators of workplace violence. "Bonding to the organization is impaired in both groups," he says. "Sometimes because they've been alienated by not advancing as quickly as they had hoped or by being given tasks they don't like. They may feel picked on and marginalized in the workplace."

However, Dietz cautions that security professionals must take special care when considering character traits as potential indicators of risk. "Most people with narcissistic traits are not going to commit serious misconduct in the workplace," he says. "It's a little dangerous to begin to generalize about personality types.

"It's sensible to [screen for risk indicators] in a way that's going to maximize the hit rate - it's not really sensible to do it randomly," Dietz continues.

But if an organization chooses to take character traits into account to improve their chances of identifying a potential insider risk, the security leader must be careful not to place undue burden on the false positives, or those individuals who may have the traits but cannot be shown on investigation to be a threat. "What one does with the information that someone has these traits should not be harmful to that individual," Dietz warns.

So who is the malicious insider? Clearly there are more variances than commonalities between insider threats, and the commonalities that do exist tend to be intensely personal and thus perhaps difficult to uncover or ascertain.

Because the threat is multi-faceted, guarding against it may be most effectively accomplished through a layered approach incorporating process and policy, technology and cultural change.

Know Your Assets

Before we continue, it is worthwhile to note the importance of knowing exactly what needs to be protected. Mitigation tactics will have limited efficacy if they are not based on a clear understanding of the organization's valuable assets and information. Security and risk professionals must clearly identify intellectual property, proprietary data, and assets and information at risk before embarking on a program to protect them.

Stop Them at the Gate

The first layer of protection involves stopping the potential insider threat from becoming a part of the organization in the first place. "We don't know our workforce. Who are we hiring?" asks David Brant, Director with Deloitte Consulting.

What's more, adds Richard Lefler, former CSO of American Express and emeritus faculty member of the Security Executive Council, organizations do not know the workforces of the companies they allow inside their walls and networks. "Outsourcing has given other companies' employees access to your facilities, and that makes them an insider threat as well," Lefler says. "Lots of companies outsource things like mailroom functions, equipment maintenance, IT and telecommunications. Nearly all companies outsource one of these things. Outside company employees get approval to enter facilities, often with few limitations. If the partner has not done a good job of hiring, the threat is yours."

Mandating background checks that are stringent enough to match the value of the organization's assets is a basic measure here. Deloitte's "Building a Secure Workforce" study recommends that companies use the interview and hiring process to weed out those traits they have identified as potential risk indicators. That is, companies should seek to hire individuals who can show they are team-oriented, who respond to criticism well, and who can deal well with conflict. Dietz notes, however, that over-reliance on this approach would exclude many of the best scientists, technical innovators and sales people.