Everyone is missing the boat on the insider threat issue – INSA too…to paraphrase James Carville, “It’s leadership stupid.”
Government and private sector organizations are the primary reason for insider threats – senior leaders and the boardroom grow them internally.
With very minor exception, NO ONE COMES TO WORK FOR YOU ON DAY ONE WITH THE INTENT TO HURT YOU, steal your secrets, or sell your intellectual property.
It’s how you treat them, over time, that turns them into insider threats.
You put them in the wrong jobs;
You fail to trust them;
You make it hard for them to do their jobs;
You put asshole/untrained managers over them;
You treat them like furniture;
You , threaten their existence in your companies and agencies;
You kill their spirit; and
Then, you wonder why they decide to hurt you.
Want to reduce/eliminate the insider threat? Treat you staff the way you did on day one:
Welcome them as a human being;
Be aware of how they are cared for in your organization;
Show them you care about them and their families;
Give them a future;
Put r-e-a-l leaders over them;
Give them a voice; and
Pay them well.
In other words, treat them as you would want to be treated.
Now, why is that so hard?
And, why do NONE of the plans I have seen for combatting the insider threat even mention poor leadership as a factor?
INSAonline.org | 9.12.13 Assessing Insider Threat Programs of U.S. Private Sector http://www.insaonline.org/i/f/pr/9.12.13_InsiderThreat_WP.aspx
“When Johnny reports to work for you on Day 1, they DO NOT intend to do you or your organization’s information systems any harm; something happens to them, either in their personal or work life that changes this – the CEO’s or Agency Head must be held responsible for making sure they know what’s going on with all of the Johnnys (and Janes) in their organization to prevent the good people they hired from becoming insider threats.”
While most of the world is focusing on “technology” as a solution to preventing insider threat attacks to organization/agency information and systems, hardly anyone is focused on leadership’s responsibility to create and sustain a work environment that minimizes the chance for an employee to turn into an insider threat.
On October 21, 2012, I had the chance to speak on this issue at the 2012 International Cyber Threat Task Force(ICTTF) Cyber Threat Summit in Dublin, Ireland a few weeks ago; here is a video recording of my presentation, I hope you find it informative and useful.
When most people think of spies, they think of the Rosenbergs who gave up atomic research in 1942, John Walker who gave up Naval radio communications in the 1980s, or the likes of Aldrich Ames and Bob Hanssen who compromised CIA and FBI programs (respectively). But, have you ever heard of Ho, Yang or Min?
Chester Ho, a naturalized U.S. citizens, was arrested after stealing the plant cell culture technology from Bristol-Myers Squibb–nearly $15 million loss
Hwei-Chen Yang was arrested after stealing adhesive trade secrets from Avery Denison–nearly $60 million loss
Yonggang Min walked out the door of Dupont with more than 16,000 documents from DuPont’s electronic library–nearly $600 million loss
While the Rosenbergs, Ames and Hanssen were guilty of National Security Espionage, Ho, Yang and Min were clearly engaged in Economic Espionage, or “the act of theft or misappropriation of (commercial) trade secrets.” What makes this particularly significant is the fact that the potential for economic espionage exists in virtually every corner of our way of life–government agencies, small companies, large corporations, colleges, universities, overseas research and development laboratories, and economic espionage is largely driven by one of three motives:
Profit;
Patriotism to home country; or
Desire to achieve academic/scientific notoriety.
While the majority of the threat can come from any of the 108 countries actively seeking to collect information about American innovations, and (a sub-set) of the 30,000,000 non-immigrant visitors to our nation every year, the threat can also come from within; companies in like sectors would love to know what the others in that sector are working on–new prescription drug? Next Ipod? Alternative fuel technologies?
So, who can threaten your innovations and intellectual property?
Insider threats–people working for you;
People and companies that you partner with;
Subcontractors providing services
University students doing research for you;
Visitors that have an interest in what you do; or
Competitors who seek to do you harm.
Interesting side note: 75% of the 40 proprietary and confidential information thefts studied between 1996 and 2002 by Carnegie Mellon’s CERT program in a July 2006 study were committed by current employees. Of those current employees committing intellectual property thefts, 45% had already accepted a job offer with another company. “In between the time they have another offer and the time they leave is when they take the information”
At the end of the day, you (and your organization’s leaders) are responsible for the survival of your organization, and only you can really know “Who’s in Your House” and what they are doing. The other way to put it is that if something bad happens, only you will be standing there explaining to your board of directors and shareholders what happened.
So what can you do to protect yourself? I suggest five key strategies:
Ask the right questions;
Do the math;
Trust, but verify;
Use the velvet rope and black cloth; and
Educate, communicate and reward.
1. Ask the Right Questions
Corporate presidents and CEOs should regularly ask their security officers the following five questions:
What technologies/projects are most at risk?
Why are others interested in it?
Who are the specific threats?
Where are the vulnerabilities?
How are we stopping them from getting it?
Establish a good idea of what an adversary might be after, why they’re after it, and what your organization is doing to protect it from compromise. For larger organizations, with many projects, you should go through this exercise with each program/product.
2. Do the Math
You cannot protect everything, so develop a strategy to identify and protect those projects and technologies that can cause the most dire consequences to your bottom line. I suggest dividing up your organization’s projects/products into three piles.
Pile One = those projects that the future of your company rests on or those that you risk jail time for compromise;
Pile Two = Those projects that are important, but expendable; and
Pile Three = Those projects that are commodities or already in the open source.
Here is some sample criteria to help you decide which pile a project may belong in:
Sample Criteria for Pile One
Classified or sensitive national security project
New research and development effort
Loss would mean significant loss of revenue and new CEO
Sample Criteria for Pile Two
Company future doesn’t hinge on product survival
No significant IP or trade secrets involved
Product at the middle of “S” curve
Sample Criteria for Pile Three
No IP or trade secrets involved
Commodity type product or service; top of the “S” curve
Already in the public domain
Remember: Focus on Pile One FIRST–do not be tempted to go after the low-hanging furit in piles two or three.
To be continued…In Part 2 of 2, I’ll finish with Key Strategies 3, 4 and 5.
Chuck has served as a strategic planner, business analyst, and technologist for the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, Illinois State Police, and many other public and private sector organizations. He helped these agencies to develop meaningful strategies, to implement innovative technologies, and to assess their success towards achievement of desired public safety and homeland security results. He currently serves as Executive Director for NOWHERETOHIDE.ORG, First Vice President of the InfraGard Maryland Members Alliance, and Chairman, IJIS Institute Security and Privacy Committee.