“If you suddenly find that each and every department from a completely different angle has seen certain risk characteristics, then the chances that this person may be an insider threat certainly are much higher,” says Kabilan. He says the frequency with which these teams should meet would depend on the organization. “It could be anything from monthly to quarterly; it really depends on the size of the organization and the sort of security risks that they have. But it should be a regular thing. It should not be something that gets convened because an issue has arisen.”
Awareness. Apart from this team, the company will benefit from raising the general level of awareness throughout the company. The Deloitte report advises companies to establish insider-threat awareness programs for the employees as one part of a culture that mitigates insider risks. This will also help put all employees on notice about what the company policies are with regard to the confidentiality of the company’s proprietary information, what behaviors are not allowed, what might trigger monitoring of employees, and what disciplinary actions might result from violations of the policies.
In addition, according to the Deloitte report, “Ongoing educational campaigns directed at the work force about the threats posed by insiders can heighten sensitivity to insider threat challenges, and provide concrete, practical steps employees can take to minimize asset loss.”
The Deloitte report also advocates creating networks of security-minded people and training the work force to observe, collect, and report information on suspicious behavior. That includes making sure there is a way for employees to report such behavior. The report also suggests developing a way to test this training to ensure that it is effective.
“The challenge of asking the work force to become involved is both one that’s a practical issue and a perception issue,” says McGarvey, who implemented insider-threat programs when he was director of information protection for the U.S. Air Force.
Security doesn’t want to be seen as being like the Stasi was in East Germany, asking everyone to report on everyone about everything. “First off, it doesn’t work, and secondly, it gives you a horrible reputation,” says McGarvey.
But there are ways to implement a reasonable reporting system. McGarvey says that training employees to detect patterns of behavior that indicate distress will allow the company to help the individual at risk. McGarvey says that this will involve human resources and other departments outside of security.
In the Air Force, McGarvey relied on engagement with the surgeon general’s office and the chaplain’s office, to help identify issues and to provide resources for troubled individuals.
“We wouldn’t have to go to an individual and say, ‘Hey, you’re screwed up, we’re going to pull your clearance, we’re going to fire you, we’re going to put you in jail.’ Instead, we’d say, ‘We see there’s an issue; you can go talk to a counselor; you can go talk to your chaplain, but you do need to talk to someone,’” says McGarvey.