Dealing With Insider Threat
By: Neville Hay, Director of Training -
It is important for the industry to recognise the threat from the insider. What does the threat look like and how can one take steps to mitigate, keeping things simple will help everyone understand the threat and how they can help identify a potential threat, take steps to, pursue, prevent, protect and prepare from the threat of an insider and the impact.
There are many definitions of an insider, simply put an insider is; A person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes.
Sun Tzu wrote in the book known as the Art of War written some 500 B.C. described the 5 types of spies one employs in war. The description fits the insider today, the insider is nothing new it has always been a threat, no more today than 500 B.C.
Understanding the threat and how it impacts on business can help mitigate that threat. Some common facts.
There are 5 types of insider.
1. Unauthorised disclosure of sensitive material
2. Process sabotage or corruption
3. Facilitation of another to access the organisation’s assets
4. Physical sabotage and
5. Electronic interference or IT sabotage.
The most frequent being the unauthorised disclosure of sensitive material and process sabotage or corruption. The first is easily understood, material which may be of use to a competitor or provides information on security or other sensitive areas enabling others to capitalise on. Process sabotage or process corruption again is easily understood.
It has been seen from research there are certain demographics, some are worthy of note;
· Males are significantly a higher threat than females.
· 49% of insiders were 31 – 45 years
· Permanent staff are more likely to be an insider as opposed to contractors
· Insider activity can last between 6months – 5 years
· A high percentage of insiders have worked for less than 5 years.
The insider threat is more likely to be self-initiated (76%) rather than as a result of deliberate infiltration (6%); i.e. the individual saw an opportunity to exploit their access once they were employed rather than seeking employment with the intention of committing an insider act however this cannot be discounted and therefore companies should ensure they satisfy themselves regarding the suitability of an individual to carry out the role they are employed, the employer should ensure satisfactory background checks or security clearance vetting is conducted effectively and efficiently.
Why an individual may undertake insider activity are complex. However, it is common for insiders to have more than one motivation for their activity, financial gain maybe the single most common primary motivation, followed by ideology, a desire for recognition and loyalty to others can be quite common.
There can be a relationship between primary motivation and type of insider incident. Ideology and desire for recognition being closely linked to unauthorised disclosure of sensitive information and financial gain linked to process corruption or giving access to assets. These can be both individual- and organisational-level factors associated with insider activity.
The three main individual factors can be
· Personality traits
· Lifestyle/circumstantial vulnerabilities
· Workplace behaviours.
A person’s lifestyle and behaviour may lead them to being vulnerable or compromised, life styles such as debt, drug abuse, alcoholism, ex-marital affair, demonstrates a poor work attitude, shows signs of being stressed, sudden loss of status, death in family or break up of marriage etc. It is important not everything is taken out of context, and should not be used as a means to profile or discriminate against individuals who may match some characteristics and traits.
It is important to identify possible indicators, monitor, investigate and mitigate.
There can be a clear link between an insider act taking place and exploitable weaknesses in an employer’s protective security and management processes. Organisational-level factors can be identified and related to: Poor management practices;
· Poor use of auditing functions
· Lack of protective security controls
· Poor security culture
· Lack of adequate, role-based, personnel security risk assessment
· Poor pre-employment screening
· Poor communication between business areas
· Lack of awareness of people risk at a senior level
· Inadequate corporate governance
To help organisations reduce their vulnerability to the insider threat, there are key implications for personnel security. These include having a strong, on-going personnel security regime, establishing effective management practices and recognising that the insider threat can come from anyone with access to an organisation’s assets.
The effect on the organisation from acts conducted by an insider can cause significant damage to the organisation (e.g. in terms of financial loss, operational or reputational damage, or loss of market position), and may include those associated with terrorism, espionage and leaks to third parties (including the media), corruption and fraud for personal gain.
Other potential insider threats are those who may have been passed over for certain roles and responsibility having remained long in office, passed over in favour of others, not been provided the opportunity to gain a position of responsibility or committed errors and have been punished, all can point towards the disgruntled employer.
A robust and positive recruitment policy with essential parameters and guide lines, supported by policy and responsibility, clear standard operating procedures with accurate record keeping to ensure the right individual is recruited will assist in the mitigation and reduction of the insider threat.
Background checks and verification, official documentation and biometrics verification. A verified 5 year employment history supported with criminal records enquiry and certificate. Financial checks, social media investigation will all assist in reducing and recruiting an individual minimising risk in the first instance. However, having a robust recruitment procedure alone will not deter those who become disgruntled once employed.
There needs to be a procedure to refer individuals of concern. The referral may come from an associate or any other person through a third party or as a result of a IT systems security check where unusual activity is highlighted. There must be an educational programme to make employees aware of the insider threat, providing them with confidence to report supported by an easy method of reporting, either through a telephone line or via an anonymous means such as a mobile application or hot line.
It is known and documented that individuals may be reluctant to inform on another for fear of getting it wrong. The message must be it is better to say something than not to say anything. Let the appropriate line of enquiry make the decision and take ownership.
Ownership of an insider threat can lay with different individuals depending on the nature of the concern or referral, law enforcement may investigate although it is the employer who has ownership of the employee status and continued employment.
Airports normally have a risk assessment group, operating under the ASP. To assist with the insider threat at an airport a suggestion is to have a similar group who can come together to discuss concerns, decide on investigation policy and actions.
Entities should have a referral mechanism which should be clearly defined and known by employees, managers and human resource departments, where the concern involves that of terrorism or a criminal act, the entity should refer to the appropriate authority or airport security. The airport security department with the police should can discuss and carry out a review. A scoring mechanism can be employed similar to a risk matrix and depending on the score supported by evidence will depend on the investigation strategy and consequent outcome. Form a joint investigation and review team can provide reassurance to all concerned. Exchange of information may take place in confidence although some information may not be shared depending on policy or sensitivity.
A review team should involve key individuals and senior management. Typically made up of;
· Senior investigator
· Tasking and Coordinator manager
· Head of security or deputy
· Emergency services airport liaison if employed
· Legal representative for the airport
· Union representative
· Human Resource representative
Some referrals may not be of a terrorist or criminal nature and will not need a review team meeting, some referrals may be of a nature that local managers and HR departments can carry out their own investigation. Where there is a greater concern due to the nature of the entities own outcomes and information, they should then Refer to the appropriate authority or to airport security. This way there is a reporting mythology to ensure an individual employed at the airport is dealt with proportionately, law fully and where necessary should involve a joint meeting to discuss the individual of referral.
Formal investigations by police may provide executive action. This will be a matter for the police to decide. If after investigations or in the initial stages the use of employing a matrix scoring system, this may include links to known associates, access, capability, specialist training, back ground history etc, systems such as these can quantify a risk which doesn’t require further investigation. In this case the review team can set a period of monitoring or personal intervention or a discussion with the individual over concerns and offer appropriate measures to assist the individual if matters come to light where the entity can offer assistance to the individual. Preventing and escalation.
Typical investigations and decision making should be based on evidence. Making use of a decision making model can assist in these matters, the decision making process should always centre on a central core code of ethics.
· What is known? Gather or obtain information
· Asses the risk and threat and develop a working strategy
· Consider Powers and Policy
· Identify options and contingencies
· Take action and review what happens
· Continue the process for every action
The investigation should set parameters, direction and time lines. A review process. There should be identified core investigations that are essential and necessary, there are those investigations that may provide additional information which form links to prove or disprove information. Obtaining evidence by questioning or by the investigation of property, ownership, financial etc and any other lines of enquiry which may have an impact on the investigation.
With every investigation all actions and findings should be recorded, time and date stamped, identify who, what, where, when and how something was said, carried out or witnessed and who made the record. All material should be kept secure and only accessible to those who have the correct authority. Record, retain and reveal when required. If things are not recorded it will create doubt, confusion and disbelief that something took place.
When conducting an investigation, the investigation should always look wide. Gather as much information as possible and have clear lines of enquiry to define and show the rational. Never assume. Take into account evidence that is factual, that can be proved. Look at the circumstances and circumstantial evidence, obtain evidence from IT systems where known facts are recorded, ensure there is continuity and evidence obtained is recorded in a form of sealed evidence and working copies. Especially when dealing with CCTV systems where systems may not store material after a certain amount of time.
Ensure the appropriate use of necessary forms, legal parameters, privacy and privilege is maintained and that you are not operating outside the law as this may impede, impact or have catastrophic consequences and discredit the investigation.
When conducting an interview make use of interview techniques, employ two individuals, look at behaviour techniques, ask open questions. Use a structured process and record.
· Obtain information by planning the interview.
· Engaged in conversation
· Ask questions
· Challenge when necessary
· Evaluate and end on a positive note and you may wish to go back to interview again
· Use techniques such as Tell me, explain to me or described to me.
Set the atmosphere and surrounding if you can, make it less formal, positive friendly approach with that customer service can make a difference, each is tailored to the circumstances. Discipline enquiries may differ from that of probing and obtaining evidence from a witness. Alter your style depending on who you are dealing with. Respect for a person’s position, culture, sexual orientation or religious needs is most important. Everyone should be treated with respect and dignity.
Entities that employ a security management systems approach to their security may find that investigations are assisted and conducted more effectively and efficiently because the entity understands each other’s roles and responsibilities. Not all investigations are law enforcement led.
Monitoring an individual’s performance or behaviour may assist the investigation and have an impact. Having an awareness of behaviour is an asset when individuals are trying to observe or describe behaviour. Investigators should have a degree in training of human behaviours, interview skills, techniques and processes when involved carrying out any investigation, safety or security. Investment in basic investigations for entities who operate large companies may find this beneficial.
Human resource departments should employ a referral process and have processes to either support individual reporting suspicious behaviour and those who have been referred. They should be equipped to deal with various health concerns and a mechanism to refer to appropriate authorities or help services. Employing the 4 P’s of Prevention, protection, pursue and preparedness will assist entities in reducing, mitigating the threat from inside.
Personality traits may emerge or be present such as;
· Low self esteem
· Amoral and unethical
· Prone to fantasising
· Restless and impulsive
· Lacks conscientiousness
· Emotionally unstable
· Evidence of psychological or personality disorders
Those who become involved in insider activity will face certain challenges. There will be constraints, security and barriers, making it difficult for them to operate in their environment, making difficult for the individual to negotiate. They will be limited to the amount of time they can spend in an environment in order to avoid detection, this leads to irregularities from the norm.
Their routine will deviate from the norm indicating an inconsistency. When there are inconsistencies and irregularities it confirms an indicator showing the person’s behaviour has deviated from the norm. Staying late or coming in early to work while no one else is around or being in an area when there is no good reason. Changes in character or attitude can be other indicators. Colleagues are the best source of information when they have been working with someone for some time. Knowing your environment and knowing your staff is important. Other areas where concern may be observed are;
· Engages in unusual copying activity
· Engages in unusual IT activity
· Unauthorised handling of sensitive material
· Commits security violations
Additionally, security measures around IT systems, server room security and access control measures to server room, the monitoring of internet usage. Security measures concerning the use of USB sticks and a clear desk policy.
Whilst pre-employment screening is essential it will not, however comprehensive, identify all individuals who present a potential security risk. The combination of factors notable to an insider act (including personality factors, lifestyle changes, circumstantial vulnerabilities and workplace behaviours) are not always present or observable at recruitment. Using robust and ongoing protective security measures and establishing effective management practices are key to reducing vulnerability.
Recognise that the insider threat can originate from anyone with legitimate access to your organisation. This includes permanent employees, contractors, temporary staff and even business partners. By ensuring protective security policies and procedures are applied to all employees, regardless of their length of employment and seniority within the organisation can help prevent and mitigate the threat.
A lack of awareness by senior management can lead to organisations missing the attention and resources necessary to address the insider threat. Having a single, senior manager, accountable owner of people risks to whom all managers with a responsibility for people risk report.
The insider has and always be a threat, how an entity mitigates against it will depend on the importance placed and understood by the insider threat.
UK CPNI INSIDER DATA COLLECTION STUDY REPORT OF MAIN FINDINGS
APRIL 2013 – Centre for the Protection of the National Infrastructure
About Neville Hay - firstname.lastname@example.org
Neville is the INTERPORTPOLICE's Director of Training. He is an ICAO Avsec Professional Manager and UK Avsec manager accredited by the UK Department for Transport and previous member of the risk assessment group at Britain's second largest airport. Combined with 32 years diverse operational policing experience; including representation with the National Crime Agency and UK Border Force.